Go home SSLv2, you’re DROWNing
The SSLv2 protocol had its 21st birthday last month, but it’s no cause to celebrate with an alcohol beverage, since the protocol was already deprecated when it turned 18. Announced today is an attack called DROWN that takes advantage of systems still using SSLv2. Many cryptographic libraries already disable SSLv2 by default, and updates from the OpenSSL project and Red Hat today catch up. What is DROWN? CVE-2016-0800, also known as DROWN, stands for Decrypting RSA using Obsolete and Weakened...Addressing CVE-2015-7547, CVE-2015-5229, and any other scary errata via Red Hat Satellite 6.1
Addressing CVE-2015-7547, CVE-2015-5229, and any other scary errata via Red Hat Satellite 6.1 Overview On 16 Feb, 2016, Red Hat released RHSA-2016-0176, the errata that addresses a number of critical security flaws in glibc. Given the severity and scope of this security vulnerability, it is critical that we quickly and reliably deploy the updated errata that addresses these security flaws. There are a few considerations that need to be taken into account: Identifying which systems are affected...The SLOTH attack and IKE/IPsec
Executive Summary: The IKE daemons in RHEL7 (libreswan) and RHEL6 (openswan) are not vulnerable to the SLOTH attack. But the attack is still interesting to look at . The SLOTH attack released today is a new transcript collision attack against some security protocols that use weak or broken hashes such as MD5 or SHA1. While it mostly focuses on the issues found in TLS, it also mentions weaknesses in the "Internet Key Exchange" (IKE) protocol used for IPsec VPNs. While the TLS findings are very...DevOps On The Desktop: Containers Are Software As A Service
It seems that everyone has a metaphor to explain what containers "are". If you want to emphasize the self-contained nature of containers and the way in which they can package a whole operating system's worth of dependencies, you might say that they are like virtual machines. If you want to emphasize the portability of containers and their role as a distribution mechanism, you might say that they are like a platform. If you want to emphasize the dangerous state of container security nowadays,...The New Red Hat Product Security Center
The Customer Portal team here at Red Hat talks A LOT about content. We talk about creating it, serving it, indexing it and maintaining it. The list goes on. One aspect of content we’ve been focusing on a lot lately, and one I talked about in a previous post, is presentation. Even the best, most detailed and accurate content can still fail customers if it’s not presented well. As a result of this insight, we’ve turned our collective eyes toward security content and its presentation in the...Supported hardware for Satellite 6 Bootdisk plugin
Bootdisk plugin enables Satellite users to download Host based or Generic host images. These are small ISO images pre-loaded with SYSLINUX which chainloads iPXE. The iPXE firmware is able to load kernels via HTTP, but since there is no PXE (UNDI) involved, hardware iPXE driver must exist for this to work. Unfortunately, not all network cards will work with iPXE, therefore the host-based images cannot be used. The Host image embeds network credentials (IP, gateway, netmask, DNS) therefore DHCP...Risk report update: April to October 2015
In April 2015 we took a look at a years worth of branded vulnerabilities, separating out those that mattered from those that didn’t. Six months have passed so let’s take this opportunity to update the report with the new vulnerabilities that mattered across all Red Hat products. ABRT (April 2015) CVE-2015-3315: ABRT (Automatic Bug Reporting Tool) is a tool to help users to detect defects in applications and to create a bug report. ABRT was vulnerable to multiple race condition and...Red Hat CVE Database Revamp
Since 2009, Red Hat has provided details of vulnerabilities with CVE names as part of our mission to provide as much information around vulnerabilities that affect Red Hat products as possible. These CVE pages distill information from a variety of sources to provide an overview of each flaw, including information like a description of the flaw, CVSSv2 scores, impact, public dates, and any corresponding errata that corrected the flaw in Red Hat products. Over time this has grown to include more...Red Hat Satellite and Puppet Enterprise integration is now available
We are pleased to announce that Red Hat Satellite version 6.1.1, released August 2015, now features integration with Puppet Enterprise. It’s available today on the Puppet Forge. For customers with both Red Hat Satellite version 6.1.1 and Puppet Enterprise, this module will enable the availability of facts and Puppet agent run reports in both Puppet Enterprise and in Red Hat Satellite, preserving the health dashboards, inventory, and search capabilities of both products. More information and...Recent Enhancements to the Customer Portal
Here in the Red Hat Customer Portal we're always striving for the best possible customer experience. We constantly examine feedback, identify pain points, and test to make sure we're delivering on the subscription value that sets Red Hat apart from its competitors. We make enhancements continuously, but in this post I wanted to round up a few recent changes that hopefully improve your experience as a user of the Red Hat Customer Portal. Knowlegebase content redesign - If you’re a regular...Important security notice regarding signing key and distribution of Red Hat Ceph Storage on Ubuntu and CentOS
Last week, Red Hat investigated an intrusion on the sites of both the Ceph community project (ceph.com) and Inktank (download.inktank.com), which were hosted on a computer system outside of Red Hat infrastructure. download.inktank.com provided releases of the Red Hat Ceph product for Ubuntu and CentOS operating systems. Those product versions were signed with an Inktank signing key (id 5438C7019DCEEEAD). ceph.com provided the upstream packages for the Ceph community versions signed with a Ceph...Red Hat launches Red Hat Satellite 6.1
We are proud to announce the availability of Red Hat Satellite 6.1. This new version of Satellite includes several security features, introduces new management capabilities related to containers and many other enhancements. Improved Security Errata Management Enhancements Enhanced errata management refines the organization and applicability of security, bug, and enhancement patches. Improved reporting enables organizations to easily identify which hosts are affected and quickly respond to...libuser vulnerabilities
Updated 2015-07-24 @ 12:33 UTC It was discovered that the libuser library contains two vulnerabilities which, in combination, allow unprivileged local users to gain root privileges. libuser is a library that provides read and write access to files like /etc/passwd, which constitute the system user and group database. On Red Hat Enterprise Linux it is a central system component. What is being disclosed today? Qualys reported two vulnerabilities: CVE-2015-3245: The userhelper program allows...Security audit on Satellite 6.1 with OpenSCAP
Introduction The Foreman-OpenSCAP gem suite enables Satellite 6.1 to receive automated vulnerability assessment and security compliance audits from managed hosts. You can upload SCAP compliance contents, create compliance policies out of them and assign the policies to hosts or hostgroups. The foreman_openscap plugin provides three default SCAP contents, so you can start testing security compliance on RHEL6/7 and on Fedora. OpenSCAP reports (aka ARF reports) will help you find vulnerabilities...Satellite 6.1 Public Beta is Now Available
We are pleased to announce that Satellite version 6.1 is now available for public beta. Satellite 6.1 features numerous enhancements and fixes that improve stability, reliability and scalability. New features include errata management enhancements, automated provisioning of bare metal servers, content ISOs for disconnected environments and the introduction of both OpenSCAP and container management. All current Satellite customers are eligible to participate in the beta. If you would like to...The hidden costs of embargoes
It's 2015 and it's pretty clear the Open Source way has largely won as a development model for large and small projects. But when it comes to security we still practice a less-than-open model of embargoes with minimal or, in some cases, no community involvement. With the transition to more open development tools, such as Gitorious and GitHub, it is now time for the security process to change and become more open. The problem In general the argument for embargoes simply consists of "we'll fix...Emergency Security Band-Aids with Systemtap
Software security vulnerabilities are a fact of life. So is the subsequent publicity, package updates, and suffering service restarts. Administrators are used to it, and users bear it, and it's a default and traditional method. On the other hand, in some circumstances the update & restart methods are unacceptable, leading to the development of online fix facilities like kpatch, where code may be surgically replaced in a running system. There is plenty of potential in these systems, but they...JSON, Homoiconicity, and Database Access
During a recent review of an internal web application based on the Node.js platform, we discovered that combining JavaScript Object Notation (JSON) and database access (database query generators or object-relational mappers, ORMs) creates interesting security challenges, particularly for JavaScript programming environments. To see why, we first have to examine traditional SQL injection. Traditional SQL injection Most programming languages do not track where strings and numbers come from....Red Hat IT: OpenShift Has Streamlined our Workload. Let It Streamline Yours.
Are you looking for ways to deliver your applications more quickly and with less effort? Do you need to move more services to the cloud? Red Hat has these same issues and goals. By using our own product OpenShift, we have been able to shorten our release cycle times and support our developers better. We built and deployed our own OpenShift Enterprise Platform-as-a-Service (PaaS) offering and are running it in Amazon Web Services (AWS). This has allowed our teams to have more control over...VENOM, don't get bitten.
QEMU is a generic and open source machine emulator and virtualizer and is incorporated in some Red Hat products as a foundation and hardware emulation layer for running virtual machines under the Xen and KVM hypervisors. CVE-2015-3456 (aka VENOM) is a security flaw in the QEMU's Floppy Disk Controller (FDC) emulation. It can be exploited by a malicious guest user with access to the FDC I/O ports by issuing specially crafted FDC commands to the controller. It can result in guest controlled...Explaining Security Lingo
This post is aimed to clarify certain terms often used in the security community. Let's start with the easiest one: vulnerability. A vulnerability is a flaw in a selected system that allows an attacker to compromise the security of that particular system. The consequence of such a compromise can impact the confidentiality, integrity, or availability of the attacked system (these three aspects are also the base metrics of the CVSS scoring system that is used to rate vulnerabilities). ISO/IEC...Regular expressions and recommended practices
Whenever a security person crosses a vulnerability report, one of the the first steps is to ensure that the reported problem is actually a vulnerability. Usually, the issue falls into well known and studied categories and this step is done rather quickly. Occasionally, however, one can come across bugs where this initial triage is a bit more problematic. This blog post is about such an issue, which will ultimately lead us to the concept of “recommended practice”. What happened? On July 31st...Discovering bare metal with Satellite 6.1
Satellite 6.1 will ship with the discovery plug-in pre-installed. The discovery plug-in enables automatic bare-metal discovery of unknown nodes on the provisioning network. These new nodes register to the Satellite Server and upload system facts such as serial ID, network interfaces, memory, and disks, as collected by Facter. After registration, the nodes show up on the Discovered Hosts page and you can initiate provisioning either manually (using the web UI or CLI, or the API) or automatically...Drupal in Docker
Containerizing Drupal Docker is a new technology within the past few years, but many know that linux containers have been around longer than that. With the excitement around containers and Docker, the Customer Portal team at Red Hat wanted to take a look at how we could leverage Docker to deploy our application. We hope to always iterate on how code gets released to our customers, and containers seemed like a logical step to speeding up our application delivery. Current Process The method of...Don't judge the risk by the logo
It's been almost a year since the OpenSSL Heartbleed vulnerability, a flaw which started a trend of the branded vulnerability, changing the way security vulnerabilities affecting open-source software are being reported and perceived. Vulnerabilities are found and fixed all the time, and just because a vulnerability gets a name and a fancy logo doesn't mean it is of real risk to users. So let's take a tour through the last year of vulnerabilities, chronologically, to see what issues got branded...
Quick Links
Help
Site Info
Related Sites
Systems Status
About
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit