Red Hat Customer Portal

Skip to main content

  • The Answer is always the same: Layers of Security

    There is a common misperception that now that containers support seccomp we no longer need SELinux to help protect our systems. WRONG. The big weakness in containers is the container possesses the ability to interact with the host kernel and the host file systems. Securing the container processes is all about shrinking the attack surface on the host OS and more specifically on the host kernel. seccomp does a great job of shrinking the attack surface on the kernel. The idea is to limit the...
    Posted 2016-05-25T13:30:00+00:00 - 0
  • CVE-2016-3710: QEMU: out-of-bounds memory access issue

    Quick Emulator (aka QEMU) is an open source systems emulator. It emulates various processors and their accompanying hardware peripherals like disc, serial ports, NIC et al. A serious vulnerability of out-of-bounds r/w access through the Video Graphics Array (VGA) emulator was discovered and reported by Mr Wei Xiao and Qinghao Tang of Marvel Team at 360.cn Inc. This vulnerability is formally known as Dark Portal. In this post we'll see how Dark Portal works and its mitigation. VGA is a hardware...
    Posted 2016-05-11T13:30:00+00:00 - 1
  • Satellite 6.2 Beta Now Available

    Download the beta here Review beta documentation Open a ticket on the beta Red Hat is pleased to announce the Satellite 6.2 beta. Available to all current Satellite customers, the beta includes several highly demanded features. Satellite 6.2 Beta - New Features and Functionality Increase Efficiency with Automated Workflows Satellite 6.2 introduces remote execution, automating workflows and enabling users to take multiple actions against groups of systems. Now Satellite 6.2 can automatically...
    Posted 2016-04-26T14:23:02+00:00 - 32
  • Red Hat Product Security Risk Report: 2015

    This report takes a look at the state of security risk for Red Hat products for calendar year 2015. We look at key metrics, specific vulnerabilities, and the most common ways users of Red Hat products were affected by security issues. Our methodology is to look at how many vulnerabilities we addressed and their severity, then look at which issues were of meaningful risk, and which were exploited. All of the data used to create this report is available from public data maintained by Red Hat...
    Posted 2016-04-20T13:30:00+00:00 - 3
  • Badlock response planning and remediation with Red Hat Insights

    Many customers utilize the SMB (Server Message Block) protocol in their production environments. SMB has become a reliable file and print sharing resource protocol for RHEL deployments in many infrastructures through the Samba project, allowing greater usage of shared and cross platform resources. There is a new man-in-the-middle vulnerability, named “badlock,” that targets any implementation of Microsoft’s Local Security Authentication and Security Account Manager remote protocols. This...
    Posted 2016-04-12T14:30:23+00:00 - 0
  • Using r10k with Red Hat Satellite 6

    Table of contents Background Legal Disclaimer Version Information Installing r10k Configuring r10k Setting up the repository Deploying the modules Importing into Satellite 6 Assigning the environment Pros and cons of working with r10k Background From time to time, we get questions from customers already using Puppet, on whether it is possible to incorporate an existing Puppet workflow based on r10k into Satellite 6. These customers are often well accustomed to the r10k workflow and do not...
    Posted 2016-04-01T07:45:33+00:00 - 0
  • Security risks with higher level languages in middleware products

    Java-based high-level application-specific languages provide significant flexibility when using middleware products such as BRMS. This flexibility comes at a price as there are significant security concerns in their use. In this article the usage of Drools language and MVEL in JBoss BRMS is looked at to demonstrate some of these concerns. Other middleware products might be exposed to similar risks. Java is an extremely feature-rich portable language that is used to build a great range of...
    Posted 2016-03-23T13:30:00+00:00 - 0
  • Satellite 6.1.8 is Released

    Satellite 6.1.8 has been released. This update fixes the following bugs: Previously, the katello-backup tool did not handle the '--help' argument correctly. With this update, katello-backup provides the appropriate help information when passed the argument. (BZ#1250185) Removing a Puppet module from the Libary after it had been added to a content view caused the Puppet Modules tab to become unresponsive. The display code has been updated, and the Puppet Modules tab now displays the deleted...
    Posted 2016-03-22T22:24:29+00:00 - 2
  • Automate RPM build with Mock and Satellite-6

    In any modern development environment automation is crucial. For Red Hat flavoured OS'es, application management typically is based on RPM packages. Bringing automation into an RPM development environment sooner or later leads to Mock https://fedorahosted.org/mock/. With Satellite-6, Mock has finally a capable life cycle management counterpart. In large projects with several teams working on interdependent components, Satellite Content Views (CVs) are powerful means to provide a solid baseline...
    Posted 2016-03-07T10:07:21+00:00 - 0
  • Subscription-manager for the former Red Hat Network User: Part 3 - Understanding virt-who

    Overview In Subscription-manager for the Former Red Hat Network User, part 1 & part 2, we covered an introduction to the client-side tooling . This article aims to cover virt-who, a critical component of the server-side Subscription Management tooling. What is virt-who? With the introduction of the 2010 subscription model, Red Hat introduced subscriptions, where the customer could buy a single subscription (for a hypervisor) which allowed 1, 4 or unlimited virtual guests to run on that...
    Posted 2016-03-05T19:31:22+00:00 - 0
  • Planning your response to the OpenSSL DROWN vulnerability

    When a major security risk like the new OpenSSL DROWN vulnerability strikes, you have to plan your response. Generally, you should start outside (Internet-facing) and work your way inside, and prioritize those servers which expose vulnerable network services over those that simply have an older package installed. For more information on the DROWN security vulnerability (CVE-2016-0800) please refer to this Vulnerability Article. Identifying risk To help you respond to DROWN, Red Hat Insights...
    Posted 2016-03-01T16:03:02+00:00 - 0
  • Go home SSLv2, you’re DROWNing

    The SSLv2 protocol had its 21st birthday last month, but it’s no cause to celebrate with an alcohol beverage, since the protocol was already deprecated when it turned 18. Announced today is an attack called DROWN that takes advantage of systems still using SSLv2. Many cryptographic libraries already disable SSLv2 by default, and updates from the OpenSSL project and Red Hat today catch up. What is DROWN? CVE-2016-0800, also known as DROWN, stands for Decrypting RSA using Obsolete and Weakened...
    Posted 2016-03-01T13:00:00+00:00 - 0
  • Addressing CVE-2015-7547, CVE-2015-5229, and any other scary errata via Red Hat Satellite 6.1

    Addressing CVE-2015-7547, CVE-2015-5229, and any other scary errata via Red Hat Satellite 6.1 Overview On 16 Feb, 2016, Red Hat released RHSA-2016-0176, the errata that addresses a number of critical security flaws in glibc. Given the severity and scope of this security vulnerability, it is critical that we quickly and reliably deploy the updated errata that addresses these security flaws. There are a few considerations that need to be taken into account: Identifying which systems are affected...
    Posted 2016-02-18T19:29:41+00:00 - 4
  • Subscription-manager for the former Red Hat Network User: Part 2 - Subscription-manager learns grep

    Overview As a user of subscription-manager, I find myself frequently frustrated when running a subscription-manager list --all --available to find a specific subscription. As I am using an account that has a large number of subscriptions this is painful. And since each subscription has a varying amount of output associated with it, using grep (even with the -A switch) is painful. Ultimately, I end up piping the output via my PAGER (less|more|most) until I find the pool ID that I want. That is...
    Posted 2016-02-11T12:09:58+00:00 - 0
  • Subscription-manager for the former Red Hat Network User: Part 1

    One of the first major differences between Satellite 5 & Satellite 6 is the client side tooling. Satellite 5 leveraged the various RHN tools (rhn_register, rhnreg_ks, etc). Satellite 6 uses subscription-manager. Over the next few articles, we'll deep-dive into the various subscription management tools (such as subscription-manager, rct, virt-who, and others ), with the goal of providing a better understanding to how these tools work. Firstly, some background is in order. There is a major...
    Posted 2016-02-06T22:31:46+00:00 - 0
  • Primes, parameters and moduli

    First a brief history of Diffie-Hellman for those not familiar with it The short version of Diffie-Hellman is that two parties (Alice and Bob) want to share a secret so they can encrypt their communications and talk securely without an eavesdropper (Eve) listening in. So Alice and Bob first share a public prime number and modulus (which Eve can see). Alice and Bob then each choose a large random number (referred to as their private key) and apply some modular arithmetic using the shared prime...
    Posted 2016-01-20T12:00:00+00:00 - 0
  • The SLOTH attack and IKE/IPsec

    Executive Summary: The IKE daemons in RHEL7 (libreswan) and RHEL6 (openswan) are not vulnerable to the SLOTH attack. But the attack is still interesting to look at . The SLOTH attack released today is a new transcript collision attack against some security protocols that use weak or broken hashes such as MD5 or SHA1. While it mostly focuses on the issues found in TLS, it also mentions weaknesses in the "Internet Key Exchange" (IKE) protocol used for IPsec VPNs. While the TLS findings are very...
    Posted 2016-01-15T12:00:00+00:00 - 0
  • DevOps On The Desktop: Containers Are Software As A Service

    It seems that everyone has a metaphor to explain what containers "are". If you want to emphasize the self-contained nature of containers and the way in which they can package a whole operating system's worth of dependencies, you might say that they are like virtual machines. If you want to emphasize the portability of containers and their role as a distribution mechanism, you might say that they are like a platform. If you want to emphasize the dangerous state of container security nowadays,...
    Posted 2015-12-23T12:00:00+00:00 - 0
  • The New Red Hat Product Security Center

    The Customer Portal team here at Red Hat talks A LOT about content. We talk about creating it, serving it, indexing it and maintaining it. The list goes on. One aspect of content we’ve been focusing on a lot lately, and one I talked about in a previous post, is presentation. Even the best, most detailed and accurate content can still fail customers if it’s not presented well. As a result of this insight, we’ve turned our collective eyes toward security content and its presentation in the...
    Posted 2015-12-17T20:21:57+00:00 - 0
  • New feature in Satellite 6.1.5: PXE-less discovery

    Provisioning in PXE-less or DHCP-less environments is a common scenario in the enterprise and Satellite 6 offered Bootdisk plugin to solve this problem partially. The Satellite 6.1.5 feature erratum introduces PXE-less discovery which is a great alternative with much broader hardware support. Starting today, it is possible to boot provisioned hosts from the Discovery image directly as a CDROM/DVDROM ISO that can be also transferred to hard drive or USB stick. Since the Discovery image is based...
    Posted 2015-12-15T13:10:09+00:00 - 8
  • Supported hardware for Satellite 6 Bootdisk plugin

    Bootdisk plugin enables Satellite users to download Host based or Generic host images. These are small ISO images pre-loaded with SYSLINUX which chainloads iPXE. The iPXE firmware is able to load kernels via HTTP, but since there is no PXE (UNDI) involved, hardware iPXE driver must exist for this to work. Unfortunately, not all network cards will work with iPXE, therefore the host-based images cannot be used. The Host image embeds network credentials (IP, gateway, netmask, DNS) therefore DHCP...
    Posted 2015-12-15T12:45:03+00:00 - 0
  • Risk report update: April to October 2015

    In April 2015 we took a look at a years worth of branded vulnerabilities, separating out those that mattered from those that didn’t. Six months have passed so let’s take this opportunity to update the report with the new vulnerabilities that mattered across all Red Hat products. ABRT (April 2015) CVE-2015-3315: ABRT (Automatic Bug Reporting Tool) is a tool to help users to detect defects in applications and to create a bug report. ABRT was vulnerable to multiple race condition and...
    Posted 2015-11-04T18:45:05+00:00 - 0
  • Red Hat CVE Database Revamp

    Since 2009, Red Hat has provided details of vulnerabilities with CVE names as part of our mission to provide as much information around vulnerabilities that affect Red Hat products as possible. These CVE pages distill information from a variety of sources to provide an overview of each flaw, including information like a description of the flaw, CVSSv2 scores, impact, public dates, and any corresponding errata that corrected the flaw in Red Hat products. Over time this has grown to include more...
    Posted 2015-10-22T15:49:33+00:00 - 0
  • Red Hat Satellite and Puppet Enterprise integration is now available

    We are pleased to announce that Red Hat Satellite version 6.1.1, released August 2015, now features integration with Puppet Enterprise. It’s available today on the Puppet Forge. For customers with both Red Hat Satellite version 6.1.1 and Puppet Enterprise, this module will enable the availability of facts and Puppet agent run reports in both Puppet Enterprise and in Red Hat Satellite, preserving the health dashboards, inventory, and search capabilities of both products. More information and...
    Posted 2015-10-09T12:14:42+00:00 - 0
  • Recent Enhancements to the Customer Portal

    Here in the Red Hat Customer Portal we're always striving for the best possible customer experience. We constantly examine feedback, identify pain points, and test to make sure we're delivering on the subscription value that sets Red Hat apart from its competitors. We make enhancements continuously, but in this post I wanted to round up a few recent changes that hopefully improve your experience as a user of the Red Hat Customer Portal. Knowlegebase content redesign - If you’re a regular...
    Posted 2015-09-23T14:56:36+00:00 - 0

Pages