RHEL 6 : spacewalk-java (RHSA-2016:1484)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

An update for spacewalk-java is now available for Red Hat Satellite
5.7.

Red Hat Product Security has rated this update as having a security
impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

Red Hat Satellite is a system management tool for Linux-based
infrastructures. It allows for provisioning, monitoring, and the
remote management of multiple Linux deployments with a single,
centralized tool.

Security Fix(es) :

* A stored cross-site scripting (XSS) flaw was found in the way
spacewalk-java displayed monitoring probes. An attacker can embed HTML
and JavaScript in the values for RHNMD User or Filesystem parameters
in Satellite, allowing them to inject malicious content into the web
page that is then displayed with that probe data. (CVE-2016-3080)

* A stored cross-site scripting (XSS) flaw was found in the way
spacewalk-java displayed group names. An attacker can embed HTML and
JavaScript in the values for group names in Satellite, allowing them
to inject malicious content into the web page that is then displayed
when viewing the snapshot data. (CVE-2016-3097)

These issues were discovered by Jan Hutar (Red Hat).

See also :

https://www.redhat.com/security/data/cve/CVE-2016-3080.html
https://www.redhat.com/security/data/cve/CVE-2016-3097.html
http://rhn.redhat.com/errata/RHSA-2016-1484.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 4.1
(CVSS2#E:F/RL:U/RC:ND)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 92578 ()

Bugtraq ID:

CVE ID: CVE-2016-3080
CVE-2016-3097

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now