RHEL 6 : rhevm-log-collector (RHSA-2014:1947)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing a security update.

Description :

An updated rhevm-log-collector package that fixes one security issue
is now available for Red Hat Enterprise Virtualization 3.

Red Hat Product Security has rated this update as having Low security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in
the References section.

The rhevm-log-collector utility allows users to easily collect log
files from all systems in their Red Hat Enterprise Virtualization
environment.

It was found that rhevm-log-collector called sosreport with the
PostgreSQL database password passed as a command line parameter. A
local attacker could read this password by monitoring a process
listing. The password would also be written to a log file, which could
potentially be read by a local attacker. (CVE-2014-3561)

This issue was discovered by David Jorm of Red Hat Product Security.

All rhevm-log-collector users are advised to upgrade to this updated
package, which contains a backported patch to correct this issue.

See also :

https://www.redhat.com/security/data/cve/CVE-2014-3561.html
http://rhn.redhat.com/errata/RHSA-2014-1947.html

Solution :

Update the affected rhevm-log-collector package.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)

Family: Red Hat Local Security Checks

Nessus Plugin ID: 79736 ()

Bugtraq ID:

CVE ID: CVE-2014-3561

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now