Chapter 6. Technical Notes

Information about this advisory is available at https://access.redhat.com/errata/product/250/ver=6.3/rhel---7/x86_64/RHSA-2018:0336.

vulnerability

An integer-overflow flaw was found in V8's Zone class when allocating new memory (Zone::New() and Zone::NewExpand()). An attacker with the ability to manipulate a large zone could crash the application or, potentially, execute arbitrary code with the application privileges.

It was found that ruby will_paginate is vulnerable to a XSS via malformed input that cause pagination to occur on an improper boundary. This could allow an attacker with the ability to pass data to the will_paginate gem to display arbitrary HTML including scripting code within the web interface.

A flaw was found in the provisioning template handling in foreman. An attacker, with permissions to create templates, can cause internal Rails information to be displayed when it is processed, resulting in potentially sensitive information being disclosed.

Pulp makes unsafe use of Bash's $RANDOM to generate a NSS DB password and seed resulting in insufficient randomness. An attacker could potentially guess the seed used given enough time and compute resources.

It was found that Satellite 6 did not properly enforce access controls on certain resources. An attacker, with access to the API and knowledge of the ID name, can potentially access other resources in other organizations.

A flaw was found in discovery-debug in foreman. An attacker, with permissions to view the debug results, would be able to view the root password associated with that system, potentially allowing them to access it.

It was found that foreman is vulnerable to a stored XSS via a job template with a malformed name. This could allow an attacker with privileges to set the name in a template to display arbitrary HTML including scripting code within the web interface.

It was found that foreman is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface.

A flaw was found in katello-debug where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.

It was found that the hammer_cli command line client disables SSL/TLS certificate verification by default. A man-in-the-middle (MITM) attacker could use this flaw to spoof a valid certificate.

A flaw was found in foreman's logging during the adding or registering of images. An attacker with access to the foreman log file would be able to view passwords for provisioned systems in the log file, allowing them to access those systems.

It was found that foreman in Satellite 6 did not properly enforce access controls on certain resources. An attacker with access to the API and knowledge of the resource name can access resources in other organizations.

It was found that the private CA key was created in a directory that is world-readable for a small amount of time. A local user could possibly use this flaw to gain access to the private key information in the file.

A flaw was found in foreman's handling of template previews. An attacker with permissions to preview host templates can access the template preview for any host if they are able to guess the host name, disclosing potentially sensitive information.

A flaw was found in foreman-debug's logging. An attacker with access to the foreman log file would be able to view passwords, allowing them to access those systems.

Information about this advisory is available at https://access.redhat.com/errata/RHBA-2018:0337.html.

Information about this advisory is available at https://access.redhat.com/errata/RHBA-2018:0338.html.

katello-agent

Under certain conditions, build 19 of the dispatch router can terminate unexpectedly with a segmentation fault. The memory management has been improved to prevent this happening.

You can now manage clients without goferd. This limits the host management functionality only to uploading the package profile after installing, removing, updating packages, and triggering the Satellite tasks such as the applicable errata.

When repeatedly installing and removing a package on the same Content Host, goferd accumulates memory over time. This has been fixed by locally settling down received messages in qpid-proton library.

Reinstalling katello-ca-consumer on a RHEL 7 Content Host did not restart goferd service. Consequently, katello agent did not reconnect to Satellite. This is now fixed.

Restarting the agent on the client forced package applicability calculations which were not necessary. This case has been fixed.

Updating katello-agent did not update dependencies. This is now fixed.

While pushing Errata using the Web UI and katello-agent, goferd terminated with a segmentation fault on some clients. This is now fixed.

Several memory usage bugs in goferd and qpid have been resolved.

When removing katello-ca-consumer RPM, the backup of /etc/rhsm/rhsm.conf was not restored. This is now fixed.

Several memory leaks have been fixed in the qpid dispatch router.

Hypervisor names reported by virt-who are now validated on input.

When qdrouterd was not accessible, the goferd process had a memory leak and goferd terminated unexpectedly. This is now fixed.

After installing 'katello-hosts-tools' and running the Puppet agent,enabled_repos_upload sent output to stdout after all of the 'yum check-update' had output their data. This caused errors for the Puppet agent on the client.

Qpid

During scaling testing of content hosts, qpid consumed huge amounts of memory. This is now fixed.

Previously, Satellite had a hard limit of 64k Content Hosts that can run katello agent. The Qpid Dispatch Router has been improved to remove this limit.

When pausing a Satellite in a VM, any goferd client on a machine registered
to a Capsule failed to connect to the Capsule and logged
“qd:no-route-to-dest” error. The error persisted after qdrouterd on the
Satellite resumed. The qpid dispatch router has been improved to unmap all
addresses in a more reliable way.

During scale testing, qdrouterd experienced segmentation faults in libqpid.so. This is now fixed.

qdrouterd on Capsule Server was deadlocked and did not react to commands to kill the process. This is now fixed.

When several goferd client connections tried to use qdrouterd on Satellite to link to qpidd, qdrouterd experienced a segmentation fault. This is now fixed.

During an upgrade, the qpidd user could not access or read the /etc/pki/katello/nssdb/nss_db_password-file file. The qpidd broker attempted to restart, which caused a segmentation fault.

The 'hammer host-collection erratum install` installation failed with a sub-task error. With the latest update to qpid, this is now fixed.