RHSA-2007:0868 - Security Advisory

Topic

Red Hat Network Satellite Server version 5.0.1 is now available which fixes
a security issue in version 5.0.0.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

During an internal code audit, a flaw was found in an unused back-end
XMLRPC handler first added to Red Hat Network Satellite Server 5.0.0. A
remote attacker with valid authentication credentials who was able to
connect to a Satellite Server could use this flaw to execute arbitrary code
on the server as the 'apache' user. (CVE-2007-4132)

Users of Red Hat Network Satellite Server 5.0.0 are advised to upgrade to
5.0.1 which removes the unused, vulnerable handler.

Note: This issue did not affect the hosted version of Red Hat Network or
versions of Red Hat Network Satellite Server prior to 5.0.0.

Solution

This update is available via Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
http://www.redhat.com/docs/manuals/satellite/Red_Hat_Network_Satellite-5.0.0/html/Installation_Guide/s1-maintenance-update.html

Affected Products

• Red Hat Network Satellite 4.2,5.0 (for RHEL Server) 5.0 i386

Fixes

• BZ - 253239 - CVE-2007-4132 RHN Satellite xmlrpc flaw

CVEs

• CVE-2007-4132

References

• http://www.redhat.com/security/updates/classification/#moderate