RHEL 7 : subscription-manager (RHSA-2016:2592)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

An update for subscription-manager,
subscription-manager-migration-data, and python-rhsm is now available
for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security
impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

The subscription-manager packages provide programs and libraries to
allow users to manage subscriptions and yum repositories from the Red
Hat entitlement platform.

The subscription-manager-migration-data package provides certificates
for migrating a system from the legacy Red Hat Network Classic (RHN)
to Red Hat Subscription Management (RHSM).

The python-rhsm packages provide a library for communicating with the
representational state transfer (REST) interface of a Red Hat Unified
Entitlement Platform. The Subscription Management tools use this
interface to manage system entitlements, certificates, and access to
content.

The following packages have been upgraded to a newer upstream version:
subscription-manager (1.17.15), python-rhsm (1.17.9),
subscription-manager-migration-data (2.0.31). (BZ#1328553, BZ#1328555,
BZ#1328559)

Security Fix(es) :

* It was found that subscription-manager set weak permissions on files
in /var/lib/rhsm/, causing an information disclosure. A local,
unprivileged user could use this flaw to access sensitive data that
could potentially be used in a social engineering attack.
(CVE-2016-4455)

Red Hat would like to thank Robert Scheck for reporting this issue.

Additional Changes :

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section.

See also :

https://www.redhat.com/security/data/cve/CVE-2016-4455.html
http://www.nessus.org/u?e4086253
http://rhn.redhat.com/errata/RHSA-2016-2592.html

Solution :

Update the affected packages.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 1.7
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 94555 ()

Bugtraq ID:

CVE ID: CVE-2016-4455

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now