Important: Satellite 6.4 security, bug fix, and enhancement update

Synopsis

Important: Satellite 6.4 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Topic

An update is now available for Red Hat Satellite 6.4 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Satellite is a systems management tool for Linux-based infrastructure.
It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool.

Security Fix(es):

• jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)
  
• hornetq: XXE/SSRF in XPath selector (CVE-2015-3208)
  
• bouncycastle: Information disclosure in GCMBlockCipher (CVE-2015-6644)
  
• bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338)
  
• bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339)
  
• bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341)
  
• bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342)
  
• bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344)
  
• bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345)
  
• bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346)
  
• bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352)
  
• logback: Serialization vulnerability in SocketServer and ServerSocketReceiver (CVE-2017-5929)
  
• python-django: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (CVE-2017-7233)
  
• hibernate-validator: Privilege escalation when running under the security manager (CVE-2017-7536)
  
• puppet: Environment leakage in puppet-agent (CVE-2017-10690)
  
• Satellite 6: XSS in discovery rule filter autocomplete functionality (CVE-2017-12175)
  
• foreman: Stored XSS in fact name or value (CVE-2017-15100)
  
• pulp: sensitive credentials revealed through the API (CVE-2018-1090)
  
• foreman: SQL injection due to improper handling of the widget id parameter (CVE-2018-1096)
  
• foreman: Ovirt admin password exposed by foreman API (CVE-2018-1097)
  
• django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc' (CVE-2018-7536)
  
• django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html' (CVE-2018-7537)
  
• guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237)
  
• bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340)
  
• bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343)
  
• puppet: Unpacking of tarballs in tar/mini.rb can create files with insecure permissions (CVE-2017-10689)
  
• bouncycastle: BKS-V1 keystore files vulnerable to trivial hash collisions (CVE-2018-5382)
  

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; and the Django project for reporting CVE-2017-7233, CVE-2018-7536, and CVE-2018-7537. The CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat); and the CVE-2018-1096 issue was discovered by Martin Povolny (Red Hat). Red Hat would also like to thank David Jorm (IIX Product Security) for reporting CVE-2015-3208.

Additional Changes:

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

Solution

For detailed instructions how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html/upgrading_and_updating_red_hat_satellite/

Affected Products

• Red Hat Satellite 6.4 x86_64
• Red Hat Satellite Capsule 6.4 x86_64

Fixes

• BZ - 1052713 - [RFE] Need additional supported database deployment options for Satellite 6 installation: such as External Postgres (and Managed Postgres?)
• BZ - 1060745 - [RFE] Protection from Brute Force Password Attacks
• BZ - 1155817 - [RFE] Improve auditing and externalize audit logs
• BZ - 1177766 - [RFE] Republish composite content views on republished component content view
• BZ - 1197650 - [RFE] Default User role that can also save bookmarks
• BZ - 1225252 - CVE-2015-3208 hornetq: XXE/SSRF in XPath selector
• BZ - 1260733 - [RFE] Include a "Description/Comment" field to identify networks in large environments
• BZ - 1265533 - [RFE] katello-certs-check to distinguish between Satellite and Capsule
• BZ - 1291730 - [RFE] Separate Smart variables and Smart parameters in Host/HostGroup -> Parameters tab.
• BZ - 1295741 - [RFE] Update mongodb to 3.X
• BZ - 1312098 - [RFE] Satellite 6 should ship with larger default configurations to support large client installs
• BZ - 1328707 - [RFE] make it possible to run katello-remove unattended
• BZ - 1349150 - [RFE] Comment field for host groups
• BZ - 1356517 - [RFE] Rebase fog-aws gem to add Govcloud region
• BZ - 1357256 - [RFE] Allow special characters in user name on Satellite 6.x
• BZ - 1372468 - [RFE] Please add a link from the Infrastructure->Subnets page for each subnet to a report which shows all hosts using this subnet
• BZ - 1372731 - [RFE] Hammer should provide commands for showing host's ENC YAML
• BZ - 1379291 - [RFE] Inform user that all Puppet Class sub entities affect saving the whole puppet class
• BZ - 1382069 - [RFE] Smart Class Parameter boxes use Fixed Width Font
• BZ - 1386283 - [RFE] Job invocations should have a priority
• BZ - 1386908 - [RFE] Add ansible-related installer migrations to katello-installer
• BZ - 1389820 - [RFE] Find feature for provisioning template editing
• BZ - 1400058 - [RFE] Image search falls back to Docker hub if no external registry is selected
• BZ - 1409485 - [RFE]: Add option to overwrite previous backup (old behavior)
• BZ - 1410264 - [RFE] - Update Satellite to map SLES "Operating System" from subscription-manager
• BZ - 1410746 - [RFE] List of fields to use in a search
• BZ - 1412596 - [RFE] Green confirmation boxes should float rather than affect page content/length
• BZ - 1416106 - [RFE] API to rerun a Remote Execution job against the failed hosts.
• BZ - 1417015 - [RFE] From hammer cli, creating external user-group does not have any option --auth-source-name as a input parameter.
• BZ - 1417130 - [RFE] Filter Task List on Action
• BZ - 1419060 - [RFE] Auto selection of datastore while provisioning the host in VMware.
• BZ - 1425609 - [RFE] As a user, I want to provide synced images with multiple "/" in them.
• BZ - 1426739 - [RFE] Remote Execution: Move to any page
• BZ - 1428541 - [RFE] Need a file-system integrity report for /var/lib/pulp
• BZ - 1430022 - [RFE] Show Ansible as a Service in Capsule Overview page
• BZ - 1430742 - [RFE] Missing search filter based on usergroups in Hosts
• BZ - 1432858 - CVE-2017-5929 logback: Serialization vulnerability in SocketServer and ServerSocketReceiver
• BZ - 1435973 - [RFE] - Show actual date and not time since report in Config Report
• BZ - 1437234 - CVE-2017-7233 python-django: Open redirect and possible XSS attack via user-supplied numeric redirect URLs
• BZ - 1439353 - [RFE] When viewing a capsule sync task, the task should show what capsule has been synced
• BZ - 1443505 - [RFE] Pages do not refresh after idle session timeout
• BZ - 1443804 - [RFE] Provide description for Hammer command to disable/enable notifications for a host.
• BZ - 1444015 - CVE-2015-6644 bouncycastle: Information disclosure in GCMBlockCipher
• BZ - 1449011 - [RFE] Ansible integration with Red Hat Satellite
• BZ - 1452772 - [RFE] Passenger graceful killer cron job
• BZ - 1455006 - [RFE] Improve layout and functionality of Satellite Repositories UI
• BZ - 1455132 - [RFE]: Filter roles by assigned permissions in UI
• BZ - 1458383 - [RFE] Administer -> About page should have a bullet link to the local Satellite API docs
• BZ - 1458573 - [RFE] Add the ability to skip publish and promote when importing content views
• BZ - 1458754 - [RFE] It is not possible to add sockets to RHEV host via Satellite
• BZ - 1464219 - [RFE] Export list of content host with operating system from satellite 6 server into a csv file
• BZ - 1464512 - [RFE] Click on Compliance Report widget should open associated compliance report
• BZ - 1465573 - CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager
• BZ - 1468354 - [RFE] dynflow console button on task page should open new window
• BZ - 1468359 - [RFE] task status widget should only show interesting statuses and also show timestamps
• BZ - 1470014 - [RFE] Add ability to list global parameters for each host in hammer
• BZ - 1470761 - [RFE] Make max-connections from qpidd.conf customisable via custom-hiera.yaml
• BZ - 1474348 - [rfe] add host count to location API call
• BZ - 1475121 - [RFE] Support for Private Repos at Docker Hub
• BZ - 1478849 - [RFE] API Hosts GET returning also owner_name
• BZ - 1482540 - [RFE] Allow manifest creation and adjustments within the Satellite webui
• BZ - 1483033 - [RFE] Fail when backing up to a directory postgres cannot write to
• BZ - 1485805 - [RFE] hammer cli should allow to assign an audit policy to a single server
• BZ - 1486297 - [RFE] Allow custom configuration for HSTS settings
• BZ - 1486782 - [RFE] Provide a dashboard widget to display an RSS feed within the UI
• BZ - 1487710 - [RFE] Package and provide the zypper plugin for subscription-manager.
• BZ - 1488291 - [RFE] Content views should be searchable on the basis on 'label'
• BZ - 1489377 - [RFE] Provide warning for unsupported PXE loader combinations
• BZ - 1498588 - [RFE] settings page should show when non-default settings are selected
• BZ - 1498976 - CVE-2017-12175 Satellite 6: XSS in discovery rule filter autocomplete functionality
• BZ - 1500593 - [RFE] Capsule page in Satellite GUI should display version of satellite-capsule and not foreman-proxy
• BZ - 1506612 - CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)
• BZ - 1508551 - CVE-2017-15100 foreman: Stored XSS in fact name or value
• BZ - 1515888 - [RFE] Extend Remote Execution SSH provider with the ability to provide password to escalate privileges instead of passwordless sudo
• BZ - 1516623 - [RFE] The job invocations page should show the total number of hosts on which the job has to run
• BZ - 1527896 - [RFE] Notifications box should automatically close if we click on another part of the page.
• BZ - 1536487 - [RFE] Expose an Ansible provider for Remote Exection
• BZ - 1538448 - [RFE] Need to back up SSH keys for remote execution by katello-backup|restore
• BZ - 1538479 - [RFE] Add cp_label into API output
• BZ - 1539076 - [RFE] as a user of the bootstrap script, I'd like to specify a location even if I am using the --skip foreman option.
• BZ - 1542850 - CVE-2017-10689 puppet: Unpacking of tarballs in tar/mini.rb can create files with insecure permissions
• BZ - 1545314 - [RFE] Add remote execution async_ssh option to installer
• BZ - 1549777 - CVE-2018-7536 django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc'
• BZ - 1549779 - CVE-2018-7537 django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html'
• BZ - 1552632 - [RFE] Creating a new user with LDAP, password field should be disabled or grayed out.
• BZ - 1553869 - [RFE] allow registrations to occur without blocking on task completion
• BZ - 1553994 - [RFE] Notification for subscriptions expiring soon
• BZ - 1555310 - [RFE] Add support for setup with remote MongoDB
• BZ - 1557067 - [RFE] Have a Mechanism to Proactively Detect and Clean "orphaned" Dynflow Tasks
• BZ - 1560035 - CVE-2018-1090 pulp: sensitive credentials revealed through the API
• BZ - 1561061 - CVE-2018-1096 foreman: SQL injection due to improper handling of the widget id parameter
• BZ - 1561723 - CVE-2018-1097 foreman: Ovirt admin password exposed by foreman API
• BZ - 1563749 - CVE-2018-5382 bouncycastle: BKS-V1 keystore files vulnerable to trivial hash collisions
• BZ - 1564577 - [RFE] Find unsuccessful login attempts to the Satellite application.
• BZ - 1566764 - CVE-2017-10690 puppet: Environment leakage in puppet-agent
• BZ - 1570808 - [RFE] Set content source in how proxy based on one used for registration
• BZ - 1572290 - [RFE] include passenger-memory-stats & passenger-status in foreman-debug
• BZ - 1572297 - [RFE] Satellite should be able to deploy image payloads (see anaconda's liveimg directive)
• BZ - 1572305 - [RFE] add fact name filtering during fact import
• BZ - 1573391 - CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
• BZ - 1579384 - [RFE] add check for key usage Key Encipherment to katello-certs-check
• BZ - 1588313 - CVE-2016-1000338 bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data
• BZ - 1588314 - CVE-2016-1000344 bouncycastle: DHIES implementation allowed the use of ECB mode
• BZ - 1588323 - CVE-2016-1000345 bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack
• BZ - 1588327 - CVE-2016-1000346 bouncycastle: Other party DH public keys are not fully validated
• BZ - 1588330 - CVE-2016-1000352 bouncycastle: ECIES implementation allowed the use of ECB mode
• BZ - 1588688 - CVE-2016-1000340 bouncycastle: Carry propagation bug in math.raw.Nat??? class
• BZ - 1588695 - CVE-2016-1000339 bouncycastle: Information leak in AESFastEngine class
• BZ - 1588708 - CVE-2016-1000341 bouncycastle: Information exposure in DSA signature generation via timing attack
• BZ - 1588715 - CVE-2016-1000342 bouncycastle: ECDSA improper validation of ASN.1 encoding of signature
• BZ - 1588721 - CVE-2016-1000343 bouncycastle: DSA key pair generator generates a weak private key by default
• BZ - 1595777 - [RFE] Provide welcome page for job invocations
• BZ - 1608447 - [RFE] allow setting puppet ca port in bootstrap.py

CVEs

• CVE-2015-3208
• CVE-2015-6644
• CVE-2016-1000338
• CVE-2016-1000339
• CVE-2016-1000340
• CVE-2016-1000341
• CVE-2016-1000342
• CVE-2016-1000343
• CVE-2016-1000344
• CVE-2016-1000345
• CVE-2016-1000346
• CVE-2016-1000352
• CVE-2017-5929
• CVE-2017-7233
• CVE-2017-7536
• CVE-2017-10689
• CVE-2017-10690
• CVE-2017-12175
• CVE-2017-15095
• CVE-2017-15100
• CVE-2018-1090
• CVE-2018-1096
• CVE-2018-1097
• CVE-2018-5382
• CVE-2018-7536
• CVE-2018-7537
• CVE-2018-10237

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html/release_notes/