RHEL 6 / 7 : Satellite Server (RHSA-2015:2622)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated Satellite 6.1 packages that fix one security issue, add one
enhancement, and fix several bugs are available for Satellite 6.1.5.

Red Hat Product Security has rated this update as having Moderate
Security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Red Hat Satellite is a system management solution that allows
organizations to configure and maintain their systems without the
necessity to provide public Internet access to their servers or other
client systems. It performs provisioning and configuration management
of predefined standard operating environments.

The following security issue is addressed with this release :

Satellite failed to properly enforce permissions on the show and
destroy actions for reports. This could lead to an authenticated user
with show and/or destroy report permissions being able to view and/or
delete any reports held in Foreman. (CVE-2015-5233)

In addition, this update adds the following enhancement :

* Satellite 6 has been enhanced with the PXE-Less Discovery feature.
This feature supports the use of a single ISO to provision machines
against specific host groups. The users can provide the network
information so that the host does not need to be created on Satellite
in advance and DHCP does not need to be used. (BZ#1258061)

This update also fixes the following bugs :

* The installer was not processing the '\' character correctly,
leading to failed installations using proxies. This character is now
handled correctly, improving the installation experience. (BZ#1180637)

* Help text provided by the installer had a typo which has now been
fixed. (BZ#1209139)

* The hammer container list command did not provide the container ID.
This data is now provided. (BZ#1230915)

* Repository Sync Tasks in the UI were reported as successful if there
was an unhandled exception in the code. These exceptions are now
handled correctly, and the correct status is reported. (BZ#1246054)

* The installer would remove the dhcpd.conf even if the installer was
told not to. This would remove users' configurations. The installer
has been updated to not manage this file unless requested.
(BZ#1247397)

* The history diff page for templates was opening two pages when only
one was required. The duplicate page is no longer opened. (BZ#1254909)

* During provisioning, the default root password was not used when a
hostgroup had a blank string for the root password. Since the UI can
not set an empty value, the code was updated to cause either no or an
empty root password to use the default. (BZ#1255021)

* Multi selection was not working for discovered hosts. This feature
is now working. (BZ#1258521)

* When there is a mac address conflict, discovered hosts to not change
their state to 'Built.' The code has been updated to handle this case.
(BZ#1258578)

* Deleting a lifecycle environment would fail with a 'dependent hosts'
error. This was due to an incorrect mapping between environments and
hosts. This mapping has been fixed, and the environments can be
deleted. (BZ#1269441)

* There were performance issues in package installations. The speed of
this action has been improved (BZ#1276443, BZ#1269509, BZ#1277269)

* Synchronization tasks seemed to be randomly stuck to do timeouts.
The locking in the qpid code has been improved to keep these tasks
from getting stuck (BZ#1279502)

* This change enables users of CloudForms 4.0 to proxy Red Hat
Insights requests through Satellite. The Satellite can now act as a
proxy for both CloudForms 4.0 and Satellite-only use cases.
(BZ#1276676)

Users of Red Hat Satellite are advised to upgrade to these updated
packages, which contain backported patches to correct these issues and
add this enhancement.

See also :

http://rhn.redhat.com/errata/RHSA-2015-2622.html
https://www.redhat.com/security/data/cve/CVE-2015-5233.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.0
(CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P)
CVSS Temporal Score : 5.1
(CVSS2#E:U/RL:U/RC:C)
Public Exploit Available : false

Family: Red Hat Local Security Checks

Nessus Plugin ID: 87452 ()

Bugtraq ID:

CVE ID: CVE-2015-5233

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now