RHEL 6 : rhevm-dwh 3.3.3 (RHSA-2014:0559)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing a security update.

Description :

An updated rhevm-dwh package that fixes one security issue and two
bugs is now available.

The Red Hat Security Response Team has rated this update as having Low
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The Red Hat Enterprise Virtualization Manager data warehouse package
provides the Extract-Transform-Load (ETL) process and database scripts
to create a historic database API. It also provides SQL BI reports
creation for management and monitoring.

It was found that the ovirt-engine-dwh setup script logged the history
database password in plain text to a world-readable file. An attacker
with a local user account on the Red Hat Enterprise Virtualization
Manager server could use this flaw to access, read, and modify the
reports database. (CVE-2014-0202)

Note: Applying the update provided by this advisory does not modify
any existing log files. It is recommended that you search your
existing log files and remove any occurrences of plain text passwords
manually.

This issue was discovered by Red Hat.

This update also fixes the following bugs :

* Previously, the read-only user and custom users for the data
warehouse database would lose access to views in the database when the
database was upgraded. This was caused by the views being regenerated
when the database was upgraded and the permissions for those views not
being applied to the newly generated views. Now, user permissions are
retained when the database is upgraded. (BZ#1078129)

* Previously, the ovirt-engine-dwh-setup command would fail under
certain conditions if the pg_hba.conf file had been manually edited
prior to running that command. This was caused by the setup process
checking the exact number of spaces in between values on the line
corresponding to 'local'. Now, the logic for checking the values in
that line has been revised so that the setup process can correctly
read all values regardless of the number of spaces. (BZ#1084760)

All rhevm-dwh users are advised to upgrade to this updated package,
which corrects these issues.

See also :

https://www.redhat.com/security/data/cve/CVE-2014-0202.html
http://rhn.redhat.com/errata/RHSA-2014-0559.html

Solution :

Update the affected rhevm-dwh package.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 1.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 79023 ()

Bugtraq ID: 67690

CVE ID: CVE-2014-0202

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now