• Factoring RSA Keys With TLS Perfect Forward Secrecy

    What is being disclosed today? Back in 1996, Arjen Lenstra described an attack against an optimization (called the Chinese Remainder Theorem optimization, or RSA-CRT for short). If a fault happened during the computation of a signature (using the RSA-CRT optimization), an attacker might be able to recover the private key from the signature (an “RSA-CRT key leak”). At the time, use of cryptography on the Internet was uncommon, and even ten years later, most TLS (or HTTPS) connections were immune...
    Posted 2015-09-02T13:30:48+00:00 - 0
  • Secure distribution of RPM packages

    This blog post looks at the final part of creating secure software: shipping it to users in a safe way. It explains how to use transport security and package signatures to achieve this goal. yum versus rpm There are two commonly used tools related to RPM package management, yum and rpm. (Recent Fedora versions have replaced yum with dnf, a rewrite with similar functionality.) The yum tool inspects package sources (repositories), downloads RPM packages, and makes sure that required dependencies...
    Posted 2015-08-19T18:08:11+00:00 - 1
  • Red Hat launches Red Hat Satellite 6.1

    We are proud to announce the availability of Red Hat Satellite 6.1. This new version of Satellite includes several security features, introduces new management capabilities related to containers and many other enhancements. Improved Security Errata Management Enhancements Enhanced errata management refines the organization and applicability of security, bug, and enhancement patches. Improved reporting enables organizations to easily identify which hosts are affected and quickly respond to...
    Posted 2015-08-07T17:08:33+00:00 - 0
  • Remote code execution via serialized data

    Most programming languages contain powerful features, that used correctly are incredibly powerful, but used incorrectly can be incredibly dangerous. Serialization (and deserialization) is one such feature available in most modern programming languages. As mentioned in a previous article: “Serialization is a feature of programming languages that allows the state of in-memory objects to be represented in a standard format, which can be written to disk or transmitted across a network.”   So...
    Posted 2015-07-29T13:30:31+00:00 - 0
  • libuser vulnerabilities

    Updated 2015-07-24 @ 12:33 UTC It was discovered that the libuser library contains two vulnerabilities which, in combination, allow unprivileged local users to gain root privileges. libuser is a library that provides read and write access to files like /etc/passwd, which constitute the system user and group database. On Red Hat Enterprise Linux it is a central system component. What is being disclosed today? Qualys reported two vulnerabilities: CVE-2015-3245: The userhelper program allows...
    Posted 2015-07-23T18:00:56+00:00 - 0
  • Security audit on Satellite 6.1 with OpenSCAP

    Introduction The Foreman-OpenSCAP gem suite enables Satellite 6.1 to receive automated vulnerability assessment and security compliance audits from managed hosts. You can upload SCAP compliance contents, create compliance policies out of them and assign the policies to hosts or hostgroups. The foreman_openscap plugin provides three default SCAP contents, so you can start testing security compliance on RHEL6/7 and on Fedora. OpenSCAP reports (aka ARF reports) will help you find vulnerabilities...
    Posted 2015-06-18T12:58:51+00:00 - 22
  • Satellite 6.1 Public Beta is Now Available

    We are pleased to announce that Satellite version 6.1 is now available for public beta. Satellite 6.1 features numerous enhancements and fixes that improve stability, reliability and scalability. New features include errata management enhancements, automated provisioning of bare metal servers, content ISOs for disconnected environments and the introduction of both OpenSCAP and container management. All current Satellite customers are eligible to participate in the beta. If you would like to...
    Posted 2015-06-17T14:59:31+00:00 - 0
  • Single sign-on with OpenConnect VPN server over FreeIPA

    In March of 2015 the 0.10.0 version of OpenConnect VPN was released. One of its main features is the addition of MS-KKDCP support and GSSAPI authentication. Putting the acronyms aside that means that authentication in FreeIPA, which uses Kerberos, is greatly simplified for VPN users. Before explaining more, let's first explore what the typical login process is on a VPN network. Currently, with a VPN server/product one needs to login to the VPN server using some username-password pair, and then...
    Posted 2015-06-17T13:30:08+00:00 - 0
  • The hidden costs of embargoes

    It's 2015 and it's pretty clear the Open Source way has largely won as a development model for large and small projects. But when it comes to security we still practice a less-than-open model of embargoes with minimal or, in some cases, no community involvement. With the transition to more open development tools, such as Gitorious and GitHub, it is now time for the security process to change and become more open. The problem In general the argument for embargoes simply consists of "we'll fix...
    Posted 2015-06-10T13:30:38+00:00 - 0
  • Emergency Security Band-Aids with Systemtap

    Software security vulnerabilities are a fact of life. So is the subsequent publicity, package updates, and suffering service restarts. Administrators are used to it, and users bear it, and it's a default and traditional method. On the other hand, in some circumstances the update & restart methods are unacceptable, leading to the development of online fix facilities like kpatch, where code may be surgically replaced in a running system. There is plenty of potential in these systems, but they...
    Posted 2015-06-03T13:30:13+00:00 - 0
  • JSON, Homoiconicity, and Database Access

    During a recent review of an internal web application based on the Node.js platform, we discovered that combining JavaScript Object Notation (JSON) and database access (database query generators or object-relational mappers, ORMs) creates interesting security challenges, particularly for JavaScript programming environments. To see why, we first have to examine traditional SQL injection. Traditional SQL injection Most programming languages do not track where strings and numbers come from....
    Posted 2015-05-20T13:30:18+00:00 - 0
  • Red Hat IT: OpenShift Has Streamlined our Workload. Let It Streamline Yours.

    Are you looking for ways to deliver your applications more quickly and with less effort? Do you need to move more services to the cloud? Red Hat has these same issues and goals. By using our own product OpenShift, we have been able to shorten our release cycle times and support our developers better. We built and deployed our own OpenShift Enterprise Platform-as-a-Service (PaaS) offering and are running it in Amazon Web Services (AWS). This has allowed our teams to have more control over...
    Posted 2015-05-15T19:53:33+00:00 - 0
  • Satellite 6.1 Docker Management and Workflow

    Introduction Walkthrough Add an External Registry Server Add a Content View & Life Cycle Add a Compute Resource Provision Containers Provision a Container From Docker Hub Provision Container from External Registry Provision Container from Content View List Containers Docker Tags Conclusion Introduction One of the first things you will want to do, after coming up to speed with Docker, is probably setup a Registry Server. The Docker project provides a basic Registry Server which...
    Posted 2015-05-13T12:52:55+00:00 - 7
  • VENOM, don't get bitten.

    QEMU is a generic and open source machine emulator and virtualizer and is incorporated in some Red Hat products as a foundation and hardware emulation layer for running virtual machines under the Xen and KVM hypervisors. CVE-2015-3456 (aka VENOM) is a security flaw in the QEMU's Floppy Disk Controller (FDC) emulation. It can be exploited by a malicious guest user with access to the FDC I/O ports by issuing specially crafted FDC commands to the controller. It can result in guest controlled...
    Posted 2015-05-13T11:46:18+00:00 - 0
  • Explaining Security Lingo

    This post is aimed to clarify certain terms often used in the security community. Let's start with the easiest one: vulnerability. A vulnerability is a flaw in a selected system that allows an attacker to compromise the security of that particular system. The consequence of such a compromise can impact the confidentiality, integrity, or availability of the attacked system (these three aspects are also the base metrics of the CVSS v2 scoring system that are used to rate vulnerabilities). ISO/IEC...
    Posted 2015-05-06T13:30:56+00:00 - 0
  • Container Security: Just The Good Parts

    Security is usually a matter of trade-offs. Questions like: "Is X Secure?", don't often have direct yes or no answers. A technology can mitigate certain classes of risk even as it exacerbates others. Containers are just such a recent technology and their security impact is complex. Although some of the common risks of containers are beginning to be understood, many of their upsides are yet to be widely recognized. To emphasize the point, this post will highlight three of advantages of...
    Posted 2015-04-29T14:30:02+00:00 - 0
  • Regular expressions and recommended practices

    Whenever a security person crosses a vulnerability report, one of the the first steps is to ensure that the reported problem is actually a vulnerability. Usually, the issue falls into well known and studied categories and this step is done rather quickly. Occasionally, however, one can come across bugs where this initial triage is a bit more problematic. This blog post is about such an issue, which will ultimately lead us to the concept of “recommended practice”. What happened? On July 31st...
    Posted 2015-04-22T13:30:52+00:00 - 0
  • Implementing UEFI support with Satellite 6.2

    Satellite 6 does not currently support UEFI, but thanks to John Herr from Red Hat and the Foreman Hooks plug-in, it is possible to achieve some level of integration for bare-metal or virtualized provisioning. This tutorial is for Red Hat Enterprise Linux 7.1 running Satellite 6.1 and using Grub2 for PXE booting systems (instead of traditional PXELinux). This example configuration uses Satellite 6 with Capsule running on the same server. Required conditions: Satellite 6.2 running on Red Hat...
    Posted 2015-04-21T08:09:36+00:00 - 39
  • Discovering bare metal with Satellite 6.1

    Satellite 6.1 will ship with the discovery plug-in pre-installed. The discovery plug-in enables automatic bare-metal discovery of unknown nodes on the provisioning network. These new nodes register to the Satellite Server and upload system facts such as serial ID, network interfaces, memory, and disks, as collected by Facter. After registration, the nodes show up on the Discovered Hosts page and you can initiate provisioning either manually (using the web UI or CLI, or the API) or automatically...
    Posted 2015-04-20T11:14:58+00:00 - 13
  • Drupal in Docker

    Containerizing Drupal Docker is a new technology within the past few years, but many know that linux containers have been around longer than that. With the excitement around containers and Docker, the Customer Portal team at Red Hat wanted to take a look at how we could leverage Docker to deploy our application. We hope to always iterate on how code gets released to our customers, and containers seemed like a logical step to speeding up our application delivery. Current Process The method of...
    Posted 2015-04-08T20:55:23+00:00 - 1
  • Don't judge the risk by the logo

    It's been almost a year since the OpenSSL Heartbleed vulnerability, a flaw which started a trend of the branded vulnerability, changing the way security vulnerabilities affecting open-source software are being reported and perceived. Vulnerabilities are found and fixed all the time, and just because a vulnerability gets a name and a fancy logo doesn't mean it is of real risk to users. So let's take a tour through the last year of vulnerabilities, chronologically, to see what issues got branded...
    Posted 2015-04-08T13:30:02+00:00 - 0
  • JOSE - JSON Object Signing and Encryption

    Federated Identity Management has become very widespread in past years - in addition to enterprise deployments a lot of popular web services allow users to carry their identity over multiple sites. Social networking sites especially are in a good position to drive the federated identity management, as they have both critical mass of users and the incentive to become an identity provider. As the users move away from a single device to using multiple portable devices, there is a constant pressure...
    Posted 2015-04-01T13:30:52+00:00 - 0
  • Not using IPv6? Are you sure?

    Internet Protocol version 6 (IPv6) has been around for many years and was first supported in Red Hat Enterprise Linux 6 in 2010.  Designed to provide, among other things, additional address space on the ever-growing Internet, IPv6 has only recently become a priority for ISPs and businesses. On February 3, 2011, ICANN announced that the available pool of unallocated IPv4 addresses had been completely emptied and urged network operators and server owners to implement IPv6 if they had not already...
    Posted 2015-03-25T13:30:48+00:00 - 0
  • CWE Vulnerability Assessment Report 2014

    Last year is almost three months over and we have been busy completing the CWE statistics of our vulnerabilities. The biggest change from the year before is the scale of the data - CWE report for 2013 was based on 37 classified vulnerabilities, whereas last year we classified 617 vulnerabilities in our bugzilla. Out of them 61 were closed with resolution NOTABUG, which means they were either not a security issues, or did not affect Red Hat products. These still include vulnerabilities which...
    Posted 2015-03-18T14:30:23+00:00 - 0
  • Linter for Dockerfile

    We're pleased to introduce a new Red Hat Access Labs application called Linter for Dockerfile. The Docker project provides the means of packaging applications in lightweight containers and has quickly become one of the premier projects for containerization. Docker containers offer several advantages over traditional virtual machines such as reduced size and performance. The Linter for Dockerfile lab application allows you to check basic dockerfile syntax and also allows you to check that a...
    Posted 2015-03-12T17:35:37+00:00 - 0

Pages

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.