Headline
RHSA-2020:4366: Red Hat Security Advisory: Satellite 6.8 release
An update is now available for Red Hat Satellite 6.8 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Security Fix(es):
- mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) (CVE-2018-3258)
- netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)
- rubygem-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7663)
- puppet: puppet server and puppetDB may leak sensitive information via metrics API (CVE-2020-7943)
- jackson-databind: multiple serialization gadgets (CVE-2020-8840 CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 CVE-2020-10968 CVE-2020-10969 CVE-2020-11619 CVE-2020-14061 CVE-2020-14062 CVE-2020-14195)
- foreman: unauthorized cache read on RPM-based installations through local user (CVE-2020-14334)
- Satellite: Local user impersonation by Single sign-on (SSO) user leads to account takeover (CVE-2020-14380)
- Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS (CVE-2019-12781)
- rubygem-rack: hijack sessions by using timing attacks targeting the session id (CVE-2019-16782)
- rubygem-secure_headers: limited header injection when using dynamic overrides with user input (CVE-2020-5216)
- rubygem-secure_headers: directive injection when using dynamic overrides with user input (CVE-2020-5217)
- rubygem-actionview: views that use the
j
orescape_javascript
methods are susceptible to XSS attacks (CVE-2020-5267) - puppet: Arbitrary catalog retrieval (CVE-2020-7942)
- rubygem-rack: directory traversal in Rack::Directory (CVE-2020-8161)
- rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names (CVE-2020-8184)
- hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)
- puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL (CVE-2018-11751) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes:
- Provides the Satellite Ansible Modules that allow for full automation of your Satellite configuration and deployment.
- Adds ability to install Satellite and Capsules and manage hosts in a IPv6 network environment
- Ansible based Capsule Upgrade automation: Ability to centrally upgrade all of your Capsule servers with a single job execution.
- Platform upgrades to Postgres 12, Ansible 2.9, Ruby on Rails and latest version of Puppet
- Support for HTTP UEFI provisioning
- Support for CAC card authentication with Keycloak integration
- Add ability to upgrade Red Hat Enterprise Linux 7 hosts to version 8 using the LEAPP based tooling.
- Support for Red Hat Enterprise Linux Traces integration
- satellite-maintain & foreman-maintain are now self updating
- Notifications in the UI to warn users when subscriptions are expiring. The items above are not a complete list of changes. This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section. Related CVEs:
- CVE-2018-3258: mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018)
- CVE-2018-11751: puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL
- CVE-2018-1000119: rack-protection: Timing attack in authenticity_token.rb
- CVE-2019-10219: hibernate-validator: safeHTML validator allows XSS
- CVE-2019-12781: Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
- CVE-2019-16782: rubygem-rack: hijack sessions by using timing attacks targeting the session id
- CVE-2020-5216: rubygem-secure_headers: limited header injection when using dynamic overrides with user input
- CVE-2020-5217: rubygem-secure_headers: directive injection when using dynamic overrides with user input
- CVE-2020-5267: rubygem-actionview: views that use the
j
orescape_javascript
methods are susceptible to XSS attacks - CVE-2020-7238: netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
- CVE-2020-7663: rubygem-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser
- CVE-2020-7942: puppet: Arbitrary catalog retrieval
- CVE-2020-7943: puppet: puppet server and puppetDB may leak sensitive information via metrics API
- CVE-2020-8161: rubygem-rack: directory traversal in Rack::Directory
- CVE-2020-8184: rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names
- CVE-2020-8840: jackson-databind: Lacks certain xbean-reflect/JNDI blocking
- CVE-2020-9546: jackson-databind: Serialization gadgets in shaded-hikari-config
- CVE-2020-9547: jackson-databind: Serialization gadgets in ibatis-sqlmap
- CVE-2020-9548: jackson-databind: Serialization gadgets in anteros-core
- CVE-2020-10693: hibernate-validator: Improper input validation in the interpolation of constraint error messages
- CVE-2020-10968: jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider
- CVE-2020-10969: jackson-databind: Serialization gadgets in javax.swing.JEditorPane
- CVE-2020-11619: jackson-databind: Serialization gadgets in org.springframework:spring-aop
- CVE-2020-14061: jackson-databind: serialization in weblogic/oracle-aqjms
- CVE-2020-14062: jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool
- CVE-2020-14195: jackson-databind: serialization in org.jsecurity.realm.jndi.JndiRealmFactory
- CVE-2020-14334: foreman: unauthorized cache read on RPM-based installations through local user
- CVE-2020-14380: Satellite: Local user impersonation by Single sign-on (SSO) user leads to account takeover