Detections
Analytics

RHEL 6 : CloudForms Commons 1.1 (RHSA-2012:1542)

high Nessus Plugin ID 193969

Language:

Synopsis

The remote Red Hat host is missing one or more security updates for CloudForms Commons 1.1.

Description

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:1542 advisory.

 - puppet: Filebucket arbitrary file read (CVE-2012-1986)

 - puppet: Filebucket denial of service (CVE-2012-1987)

 - puppet: Filebucket arbitrary code execution (CVE-2012-1988)

 - rubygem-mail: directory traversal (CVE-2012-2139)

 - rubygem-mail: arbitrary command execution when using exim or sendmail from commandline (CVE-2012-2140)

 - rubygem-actionpack: Unsafe query generation (CVE-2012-2660)

 - rubygem-activerecord: SQL injection when processing nested query paramaters (CVE-2012-2661)

 - rubygem-actionpack: Unsafe query generation (a different flaw than CVE-2012-2660) (CVE-2012-2694)

 - rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661) (CVE-2012-2695)

 - rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest (CVE-2012-3424)

 - rubygem-actionpack: potential XSS vulnerability in select_tag prompt (CVE-2012-3463)

 - rubygem-actionpack: potential XSS vulnerability (CVE-2012-3464)

 - rubygem-actionpack: XSS Vulnerability in strip_tags (CVE-2012-3465)

 - puppet: authenticated clients allowed to read arbitrary files from the puppet master (CVE-2012-3864)

 - puppet: authenticated clients allowed to delete arbitrary files on the puppet master (CVE-2012-3865)

 - puppet: insufficient validation of agent names in CN of SSL certificate requests (CVE-2012-3867)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL CloudForms Commons 1.1 package based on the guidance in RHSA-2012:1542.

See Also

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=810069

https://bugzilla.redhat.com/show_bug.cgi?id=810070

https://bugzilla.redhat.com/show_bug.cgi?id=810071

https://bugzilla.redhat.com/show_bug.cgi?id=816352

https://bugzilla.redhat.com/show_bug.cgi?id=827353

https://bugzilla.redhat.com/show_bug.cgi?id=827363

https://bugzilla.redhat.com/show_bug.cgi?id=831573

https://bugzilla.redhat.com/show_bug.cgi?id=831581

https://bugzilla.redhat.com/show_bug.cgi?id=839130

https://bugzilla.redhat.com/show_bug.cgi?id=839131

https://bugzilla.redhat.com/show_bug.cgi?id=839158

https://bugzilla.redhat.com/show_bug.cgi?id=843711

https://bugzilla.redhat.com/show_bug.cgi?id=847196

https://bugzilla.redhat.com/show_bug.cgi?id=847199

https://bugzilla.redhat.com/show_bug.cgi?id=847200

http://www.nessus.org/u?a71de871

https://access.redhat.com/errata/RHSA-2012:1542

Plugin Details

Severity: High

ID: 193969

File Name: redhat-RHSA-2012-1542.nasl

Version: 1.0

Type: local

Agent: unix

Published: 4/27/2024

Updated: 4/27/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2012-2695

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:redhat:enterprise_linux:6, p-cpe:/a:redhat:enterprise_linux:converge-ui-devel, p-cpe:/a:redhat:enterprise_linux:puppet, p-cpe:/a:redhat:enterprise_linux:puppet-server, p-cpe:/a:redhat:enterprise_linux:rubygem-actionpack, p-cpe:/a:redhat:enterprise_linux:rubygem-activerecord, p-cpe:/a:redhat:enterprise_linux:rubygem-activesupport, p-cpe:/a:redhat:enterprise_linux:rubygem-chunky_png, p-cpe:/a:redhat:enterprise_linux:rubygem-compass, p-cpe:/a:redhat:enterprise_linux:rubygem-compass-960-plugin, p-cpe:/a:redhat:enterprise_linux:rubygem-compass-960-plugin-doc, p-cpe:/a:redhat:enterprise_linux:rubygem-delayed_job, p-cpe:/a:redhat:enterprise_linux:rubygem-delayed_job-doc, p-cpe:/a:redhat:enterprise_linux:rubygem-ldap_fluff, p-cpe:/a:redhat:enterprise_linux:rubygem-mail, p-cpe:/a:redhat:enterprise_linux:rubygem-mail-doc, p-cpe:/a:redhat:enterprise_linux:rubygem-net-ldap

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/4/2012

Vulnerability Publication Date: 4/11/2012

Reference Information

CVE: CVE-2012-1986, CVE-2012-1987, CVE-2012-1988, CVE-2012-2139, CVE-2012-2140, CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695, CVE-2012-3424, CVE-2012-3463, CVE-2012-3464, CVE-2012-3465, CVE-2012-3864, CVE-2012-3865, CVE-2012-3867

CWE: 305, 78, 79, 89

RHSA: 2012:1542