Headline
RHSA-2022:7242: Red Hat Security Advisory: Satellite 6.11.4 Async Security Update
Updated Satellite 6.11 packages that fix several bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-30122: rubygem-rack: crafted multipart POST request may cause a DoS
- CVE-2022-31163: rubygem-tzinfo: arbitrary code execution
Issued:
2022-10-27
Updated:
2022-10-27
RHSA-2022:7242 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: Satellite 6.11.4 Async Security Update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Updated Satellite 6.11 packages that fix several bugs are now available for Red Hat Satellite.
Description
Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.
This update fixes the following bugs:
2131757 - Enhance foreman-rake katello:correct_repositories to handle Katello::Errors::CandlepinError: Unable to find content with the ID "xxxxxxxxxxx".
2131759 - RHEL 9 provisioned host goes into emergency mode after initial reboot
2131761 - hammer cannot use the cluster name or id as valid input when clusters are residing inside folders and fails with error Fog::Vsphere::Compute::NotFound error
2131763 - Running “satellite-maintain self-upgrade” on a Satellite\Capsule 6.11.1.1 fails with error “Error: ‘satellite-maintenance-6.11.2-for-rhel-8-x86_64-rpms’ does not match a valid repository ID”
2131769 - Post upgrade to 6.11.z, DHCP error with wrong number of arguments for validate_supported_address
2131771 - With every edit of an exising webhook, the value in password field disappears in Satellite 6.10/6.11/6.12
2131773 - foreman-maintain still enables ansible-2.9-for-rhel-8-x86_64-rpms repository for running an update to 6.11.z when no packages are installed from that repository
2131776 - please update to Satellite Ansible Collection 3.6.0
2131781 - ‘candlepin-validate-db’ pre-upgrade check fails with “Could not open SSL root certificate file /root/.postgresql/root.crt” error for external DB setup with SSL
2131788 - Documentation bug for the compute_resource module
2131790 - [BUG] Invalid choice for template_kind listed for os_default_template module
2132075 - CVE-2022-31163 tfm-rubygem-tzinfo: rubygem-tzinfo: arbitrary code execution [rhn_satellite_6.11]
2132076 - CVE-2022-31163 rubygem-tzinfo: rubygem-tzinfo: arbitrary code execution [rhn_satellite_6.11]
2132079 - CVE-2022-30122 rubygem-rack: crafted multipart POST request may cause a DoS [rhn_satellite_6-default]
2122205 - Package “python3-pulp_manifest” is not available in Satellite Utils repository
2132999 - Satellite cannot be installed on RHEL 8.7
CVEs
CVE-2022-30122
CVE-2022-31163
Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.
Affected Products
- Red Hat Enterprise Linux Server 7 x86_64
- Red Hat Satellite 6.11 for RHEL 8 x86_64
- Red Hat Satellite 6.11 for RHEL 7 x86_64
- Red Hat Satellite Capsule 6.11 for RHEL 8 x86_64
- Red Hat Satellite Capsule 6.11 for RHEL 7 x86_64
- Red Hat Enterprise Linux for x86_64 8 x86_64
Fixes
- BZ - 2099519 - CVE-2022-30122 rubygem-rack: crafted multipart POST request may cause a DoS
- BZ - 2110551 - CVE-2022-31163 rubygem-tzinfo: arbitrary code execution
- BZ - 2122205 - Package “python3-pulp_manifest” is not available in Satellite Utils repository
- BZ - 2131757 - Enhance foreman-rake katello:correct_repositories to handle Katello::Errors::CandlepinError: Unable to find content with the ID "xxxxxxxxxxx".
- BZ - 2131759 - RHEL 9 provisioned host goes into emergency mode after initial reboot
- BZ - 2131761 - hammer cannot use the cluster name or id as valid input when clusters are residing inside folders and fails with error Fog::Vsphere::Compute::NotFound error
- BZ - 2131763 - Running “satellite-maintain self-upgrade” on a Satellite\Capsule 6.11.1.1 fails with error “Error: ‘satellite-maintenance-6.11.2-for-rhel-8-x86_64-rpms’ does not match a valid repository ID”
- BZ - 2131769 - Post upgrade to 6.11.z, DHCP error with wrong number of arguments for validate_supported_address
- BZ - 2131771 - With every edit of an exising webhook, the value in password field disappears in Satellite 6.10/6.11/6.12
- BZ - 2131773 - foreman-maintain still enables ansible-2.9-for-rhel-8-x86_64-rpms repository for running an update to 6.11.z when no packages are installed from that repository
- BZ - 2131776 - please update to Satellite Ansible Collection 3.6.0
- BZ - 2131781 - ‘candlepin-validate-db’ pre-upgrade check fails with “Could not open SSL root certificate file /root/.postgresql/root.crt” error for external DB setup with SSL
- BZ - 2131788 - Documentation bug for the compute_resource module
- BZ - 2131790 - [BUG] Invalid choice for template_kind listed for os_default_template module
- BZ - 2132999 - Satellite can not be installed on RHEL 8.7
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Ubuntu Security Notice 7036-1 - It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a user or automated system were tricked into sending a specially crafted multipart POST request to an application using Rack, a remote attacker could possibly use this issue to cause a denial of service. It was discovered that Rack was not properly escaping untrusted data when performing logging operations, which could cause shell escaped sequences to be written to a terminal. If a user or automated system were tricked into sending a specially crafted request to an application using Rack, a remote attacker could possibly use this issue to execute arbitrary code in the machine running the application.
Gentoo Linux Security Advisory 202310-18 - Multiple vulnerabilities have been discovered in Rack, the worst of which can lead to sequence injection in logging components. Versions greater than or equal to 2.2.3.1 are affected.
Debian Linux Security Advisory 5530-1 - Several vulnerabilities were discovered in ruby-rack, a modular Ruby webserver interface, which may result in denial of service and shell escape sequence injection.
Red Hat Security Advisory 2023-2097-03 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, deserialization, improper neutralization, information leakage, and remote shell upload vulnerabilities.
Red Hat Security Advisory 2023-1486-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include HTTP request smuggling, code execution, and denial of service vulnerabilities.
Ubuntu Security Notice 5896-1 - It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a user or automated system were tricked into sending a specially crafted multipart POST request to an application using Rack, a remote attacker could possibly use this issue to cause a denial of service. It was discovered that Rack was not properly escaping untrusted data when performing logging operations, which could cause shell escaped sequences to be written to a terminal. If a user or automated system were tricked into sending a specially crafted request to an application using Rack, a remote attacker could possibly use this issue to execute arbitrary code in the machine running the application.
A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.
Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2. This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack. For versions of Arvados earlier than 2.4.2: remove the Ruby-based "Workbench 1" app ("apt-get remove arvados-workbench") from your installation as a workaround.
TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the ...
### Impact #### Affected versions - 0.3.60 and earlier. - 1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data). #### Vulnerability With the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and later and built-in to earlier versions), time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. For example, with version 1.2.9, you can run the following to load a file with path `/tmp/payload.rb`: ```ruby TZInfo::Timezone.get("foo\n/../../../../../../../../../../../../../../../../tmp/payload") ``` The exact number of parent directory traversals needed will vary depending on the location of t...
There is a possible denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-30122. Versions Affected: >= 1.2 Not affected: < 1.2 Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1 ## Impact Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability. Impacted code will use Rack's multipart parser to parse multipart posts. This includes directly using the multipart parser like this: ``` params = Rack::Multipart.parse_multipart(env) ``` But it also includes reading POST data from a Rack request object like this: ``` p request.POST # read POST data p request.params # reads both query params and POST data ``` All users running an affected release should either upgrade or use one of the workarounds immediately. ## Workarounds There are no feasible workarounds for this issue.