• Subscription-manager for the former Red Hat Network User: Part 4 - Understanding Subscription Manifests

    working title: of Men, Mice and Manifests Overview With the introduction of the newer Systems Management tools such as Satellite 6, we introduced a new concept, the Subscription Manifest (which are different from Satellite 5 Entitlement XML certificates), as the means to import Subscriptions into Satellite for the purposes of synchronizing content and attaching subscriptions to systems. What is a subscription manifest? A subscription manifest is a digitally signed zip file containing: A...
    Posted 2016-08-26T09:00:36+00:00 - 2
  • Making systems ready for Satellite 6.2's remote execution

    Satellite 6.2 ships with the much anticipated remote execution feature, which allows you to run scripts and jobs on a group of systems and then gather and view the output in the Satellite interface. Remote Execution by itself works fine out of the box for new machines, but already existing machines need to be bootstrapped by adding an SSH public key to root's ~/.ssh/authorized_keys. You can use Puppet to do this - assuming you are using Puppet at all - in two distinct ways: - you can use a full...
    Posted 2016-08-02T14:27:09+00:00 - 53
  • Satellite5, spacewalk-clone-by-date, and you!

    INTRODUCTION A typical workflow for a Satellite 5 installtion involves maintaining strict control over exactly what changes are available to registered systems. This is accomplished by cloning the channels synchronized from Red Hat Network, and limiting the clones to a given subset of the 'current' state of the original channel. spacewalk-clone-by-date is a tool available as part of the Satellite 5 subscription which aims to ease the process of creating and maintaining cloned channels. However...
    Posted 2016-07-28T13:38:58+00:00 - 2
  • Red Hat Satellite 6.2 is now available

    Red Hat is pleased to announce the general availability of Red Hat Satellite 6.2. Red Hat Satellite 6.0 included a redesigned product architecture to manage new types of content on a wide variety of platforms, including bare-metal, private, and public clouds. Satellite 6.2 continues to build on that release and features the following: Increase Efficiency with Automated Workflows Satellite 6.2 introduces remote execution, automating workflows and enabling users to take multiple actions against...
    Posted 2016-07-26T20:36:30+00:00 - 24
  • Using the Java Security Manager in Enterprise Application Platform 7

    JBoss Enterprise Application Platform 7 allows the definition of Java Security Policies per application. The way it's implemented means that we'll also be able to define security policies per module, in addition to define one per application. The ability to apply the Java Security Manager per application, or per module in EAP 7, makes it a versatile tool in the mitigation of serious security issues, or useful for applications with strict security requirements. The main difference between EAP 6...
    Posted 2016-07-13T13:30:00+00:00 - 0
  • Java Deserialization attacks on JBoss Middleware

    Recent research by Chris Frohoff and Gabriel Lawrence has exposed gadget chains in various libraries that allow code to be executed during object deserialization in Java. They've done some excellent research, including publishing some code that allows anyone to serialize a malicious payload that when deserialized runs the operating system command of their choice, as the user which started the Java Virtual Machine (JVM). The vulnerabilities are not with the gadget chains themselves but with the...
    Posted 2016-07-06T13:30:00+00:00 - 1
  • StackOverflow Assistance Pilot

    As a valued customer you have access to extensive content and certain products for developer use, which help you create your applications quickly. We want to assist you wherever you may look for help. We know developers love StackOverflow. For a limited time, as a subscriber you can sign up for our StackOverflow Assistance pilot. As part of this pilot, we will try to respond within 24 hours to your developer question on a Red Hat product within StackOverflow, if it hasn’t already been answered...
    Posted 2016-06-24T19:39:31+00:00 - 0
  • StackOverflow Pilot Program Monitored Tags

    Posted 2016-06-23T20:20:17+00:00 - 0
  • StackOverflow Pilot Program Monitored Tags

    Posted 2016-06-23T20:18:57+00:00 - 0
  • StackOverflow Pilot Program Monitored Tags

    As part of the StackOverflow Pilot Program, the list of StackOverflow tags we will be monitoring include: jboss jboss7.x jboss5.x jboss6.x Jboss-eap-6 jboss-eap-7 jbossamq jbossfuse jboss-logging jboss-web jboss-cli openshift openshift-client-tools openshift-enterprise jboss-messaging jboss-modules jboss-tools jboss-mdb jbossws jboss-esb jboss-rules jboss-cache jboss-portal Keycloak drools apache-camel cxf activemq karaf apache-karaf Fabric8 apiman jBPM bpm
    Posted 2016-06-23T20:15:14+00:00 - 0
  • Redefining how we share our security data.

    Red Hat Product Security has long provided various bits of machine-consumable information to customers and users via our Security Data page. Today we are pleased to announce that we have made it even easier to access and parse this data through our new Security Data API service. While we have provided this information since January 2005, it required end users to download the content from the site, which meant you either downloaded many files and kept a local copy, or you were downloading large...
    Posted 2016-06-23T13:30:00+00:00 - 1
  • How Red Hat uses CVSSv3 to Assist in Rating Flaws

    Humans have been measuring risk since the dawn of time. "I'm hungry, do I go outside my awesome cave here and forage for food? There might be something bigger, scarier, and hungrier than me out there...maybe I should wait?" Successfully navigating through life is a series of Risk/Reward calculations made each and every day. Sometimes, ideally, the choices are small ("Do I want fries with that?") while others can lead to catastrophic outcomes if the scenario isn't fully thought-through and...
    Posted 2016-06-21T20:16:50+00:00 - 0
  • Satellite 6.2 Beta 2 Now Available

    Download the beta here Review beta documentation Open a ticket on the beta Red Hat is pleased to announce the the second beta for Satellite 6.2. Beta 2 is immediately available to all current beta customers. The list of new features in this beta can be reviewed in the Beta 1 Announcement Satellite 6.2 Beta - What's New Lots of bug fixes based on your feedback The first beta had very good adoption. Thank you for your time. Based on your feedback we have resolved many bugs. Specifically, you...
    Posted 2016-06-15T12:39:58+00:00 - 4
  • The Answer is always the same: Layers of Security

    There is a common misperception that now that containers support seccomp we no longer need SELinux to help protect our systems. WRONG. The big weakness in containers is the container possesses the ability to interact with the host kernel and the host file systems. Securing the container processes is all about shrinking the attack surface on the host OS and more specifically on the host kernel. seccomp does a great job of shrinking the attack surface on the kernel. The idea is to limit the...
    Posted 2016-05-25T13:30:00+00:00 - 0
  • CVE-2016-3710: QEMU: out-of-bounds memory access issue

    Quick Emulator (aka QEMU) is an open source systems emulator. It emulates various processors and their accompanying hardware peripherals like disc, serial ports, NIC et al. A serious vulnerability of out-of-bounds r/w access through the Video Graphics Array (VGA) emulator was discovered and reported by Mr Wei Xiao and Qinghao Tang of Marvel Team at 360.cn Inc. This vulnerability is formally known as Dark Portal. In this post we'll see how Dark Portal works and its mitigation. VGA is a hardware...
    Posted 2016-05-11T13:30:00+00:00 - 1
  • Satellite 6.2 Beta Now Available

    Download the beta here Review beta documentation Open a ticket on the beta Red Hat is pleased to announce the Satellite 6.2 beta. Available to all current Satellite customers, the beta includes several highly demanded features. Satellite 6.2 Beta - New Features and Functionality Increase Efficiency with Automated Workflows Satellite 6.2 introduces remote execution, automating workflows and enabling users to take multiple actions against groups of systems. Now Satellite 6.2 can automatically...
    Posted 2016-04-26T14:23:02+00:00 - 36
  • Red Hat Product Security Risk Report: 2015

    This report takes a look at the state of security risk for Red Hat products for calendar year 2015. We look at key metrics, specific vulnerabilities, and the most common ways users of Red Hat products were affected by security issues. Our methodology is to look at how many vulnerabilities we addressed and their severity, then look at which issues were of meaningful risk, and which were exploited. All of the data used to create this report is available from public data maintained by Red Hat...
    Posted 2016-04-20T13:30:00+00:00 - 3
  • Badlock response planning and remediation with Red Hat Insights

    Many customers utilize the SMB (Server Message Block) protocol in their production environments. SMB has become a reliable file and print sharing resource protocol for RHEL deployments in many infrastructures through the Samba project, allowing greater usage of shared and cross platform resources. There is a new man-in-the-middle vulnerability, named “badlock,” that targets any implementation of Microsoft’s Local Security Authentication and Security Account Manager remote protocols. This...
    Posted 2016-04-12T14:30:23+00:00 - 0
  • Using r10k with Red Hat Satellite 6

    Table of contents Background Legal Disclaimer Version Information Installing r10k Configuring r10k Setting up the repository Deploying the modules Importing into Satellite 6 Assigning the environment Pros and cons of working with r10k Background From time to time, we get questions from customers already using Puppet, on whether it is possible to incorporate an existing Puppet workflow based on r10k into Satellite 6. These customers are often well accustomed to the r10k workflow and do not...
    Posted 2016-04-01T07:45:33+00:00 - 19
  • Security risks with higher level languages in middleware products

    Java-based high-level application-specific languages provide significant flexibility when using middleware products such as BRMS. This flexibility comes at a price as there are significant security concerns in their use. In this article the usage of Drools language and MVEL in JBoss BRMS is looked at to demonstrate some of these concerns. Other middleware products might be exposed to similar risks. Java is an extremely feature-rich portable language that is used to build a great range of...
    Posted 2016-03-23T13:30:00+00:00 - 0
  • Satellite 6.1.8 is Released

    Satellite 6.1.8 has been released. This update fixes the following bugs: Previously, the katello-backup tool did not handle the '--help' argument correctly. With this update, katello-backup provides the appropriate help information when passed the argument. (BZ#1250185) Removing a Puppet module from the Libary after it had been added to a content view caused the Puppet Modules tab to become unresponsive. The display code has been updated, and the Puppet Modules tab now displays the deleted...
    Posted 2016-03-22T22:24:29+00:00 - 2
  • Automate RPM build with Mock and Satellite-6

    In any modern development environment automation is crucial. For Red Hat flavoured OS'es, application management typically is based on RPM packages. Bringing automation into an RPM development environment sooner or later leads to Mock https://fedorahosted.org/mock/. With Satellite-6, Mock has finally a capable life cycle management counterpart. In large projects with several teams working on interdependent components, Satellite Content Views (CVs) are powerful means to provide a solid baseline...
    Posted 2016-03-07T10:07:21+00:00 - 8
  • Subscription-manager for the former Red Hat Network User: Part 3 - Understanding virt-who

    Overview In Subscription-manager for the Former Red Hat Network User, part 1 & part 2, we covered an introduction to the client-side tooling . This article aims to cover virt-who, a critical component of the server-side Subscription Management tooling. What is virt-who? With the introduction of the 2010 subscription model, Red Hat introduced subscriptions, where the customer could buy a single subscription (for a hypervisor) which allowed 1, 4 or unlimited virtual guests to run on that...
    Posted 2016-03-05T19:31:22+00:00 - 3
  • Planning your response to the OpenSSL DROWN vulnerability

    When a major security risk like the new OpenSSL DROWN vulnerability strikes, you have to plan your response. Generally, you should start outside (Internet-facing) and work your way inside, and prioritize those servers which expose vulnerable network services over those that simply have an older package installed. For more information on the DROWN security vulnerability (CVE-2016-0800) please refer to this Vulnerability Article. Identifying risk To help you respond to DROWN, Red Hat Insights...
    Posted 2016-03-01T16:03:02+00:00 - 0
  • Go home SSLv2, you’re DROWNing

    The SSLv2 protocol had its 21st birthday last month, but it’s no cause to celebrate with an alcohol beverage, since the protocol was already deprecated when it turned 18. Announced today is an attack called DROWN that takes advantage of systems still using SSLv2. Many cryptographic libraries already disable SSLv2 by default, and updates from the OpenSSL project and Red Hat today catch up. What is DROWN? CVE-2016-0800, also known as DROWN, stands for Decrypting RSA using Obsolete and Weakened...
    Posted 2016-03-01T13:00:00+00:00 - 0