RHSA-2012:1187 - Security Advisory

Overview
Updated Packages

Synopsis

Important: katello security update

Type/Severity

Security Advisory: Important

Topic

Updated katello packages that fix one security issue are now available for
Red Hat Subscription Asset Manager.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Description

Katello allows you to manage the application life-cycle for Linux systems.
Katello is used by Red Hat Subscription Asset Manager, a distributor
application for handling subscription information and software updates on
client machines.

It was found that the katello-common package's installation script did not
correctly generate the secret token used for session cookie generation,
leading to every default installation using the same secret token. A remote
attacker could use this flaw to create a cookie that would allow them to
log into the Subscription Asset Manager web interface as any user, without
knowing the passwords. (CVE-2012-3503)

All users of Red Hat Subscription Asset Manager are advised to upgrade to
these updated packages, which correct this issue. For instructions on
applying this update, refer to the Subscription Asset Manager Installation
Guide, linked to in the References section.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

For instructions on applying this update, refer to the Subscription
Asset Manager Installation Guide, linked to in the References section.

Affected Products

Red Hat Enterprise Linux Server 6 x86_64

Fixes

BZ - 849210 - CVE-2012-3503 Katello: Application.config.secret_token is not generated properly

CVEs

CVE-2012-3503

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 6

SRPM
katello-0.3.4-1.el6_2.src.rpm	SHA-256: b4177dd770cf1ea48b6b310d01822073ed05721c411092e0cf4df09351849b34
x86_64
katello-common-0.3.4-1.el6_2.noarch.rpm	SHA-256: 18dae9167df28d0c03a5721d7b61e4d933cb95b9c91a4f206f175585b277195f
katello-glue-candlepin-0.3.4-1.el6_2.noarch.rpm	SHA-256: 37d9c7aa477d252d63ac86a55dac1b30c4496674d2ab604f90fe4e9f334bcfe3

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories