RHSA-2018:2733 - Security Advisory

Topic

An update for rubygem-smart_proxy_dynflow is now available for Red Hat Satellite 6.3 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The rubygem provided by rubygem-smart_proxy_dynflow is a plugin into Foreman's Smart Proxy for running Dynflow actions on the Smart Proxy.

Security Fix(es):

• smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature (CVE-2018-14643)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

This issue was discovered by Ivan Necas (Red Hat).

Solution

This update does not require a full upgrade. Only the update of the rubygem-smart_proxy_dynflow package is required.

In order to update your Satellite system, follow the instructions below:

Stop all services:

# katello-service stop

Update rubygem-smart_proxy_dynflow

# yum update rubygem-smart_proxy_dynflow

Start services:

# katello-service restart

For detailed instructions how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.3/html/upgrading_and_updating_red_hat_satellite/updating_satellite_server_capsule_server_and_content_hosts

Affected Products

• Red Hat Satellite 6.3 x86_64
• Red Hat Satellite Capsule 6.3 x86_64

Fixes

• BZ - 1629003 - CVE-2018-14643 rubygem-smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature [rhn_satellite_6.3]
• BZ - 1629063 - CVE-2018-14643 smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature

CVEs

• CVE-2018-14643

References

• https://access.redhat.com/security/updates/classification/#critical