manzier.pxt in Red Hat Network Satellite Server before 5.1.1 has a hard-coded authentication key, which allows remote attackers to connect to the server and obtain sensitive information about user accounts and entitlements.

Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

![Red Hat Customer Portal](https://access.redhat.com/chrome_themes/nimbus/img/red-hat-customer-portal.svg)

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus
*   Red Hat CodeReady Studio

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2008-08-13

Updated:

2008-08-13

**RHSA-2008:0630 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Low: Red Hat Network Satellite Server security update

**Type/Severity**

Security Advisory: Low

**Topic**

Red Hat Network Satellite Server version 5.1.1 is now available. This  
update includes fixes for a number of security issues in Red Hat Network  
Satellite Server components.  

This update has been rated as having low security impact by the Red Hat  
Security Response Team.

**Description**

During an internal security audit, it was discovered that Red Hat Network  
Satellite Server shipped with an XML-RPC script, manzier.pxt, which had a  
single hard-coded authentication key. A remote attacker who is able to  
connect to the Satellite Server XML-RPC service could use this flaw to  
obtain limited information about Satellite Server users, such as login  
names, associated email addresses, internal user IDs, and partial  
information about entitlements. (CVE-2008-2369)  

This release also corrects several security vulnerabilities in various  
components shipped as part of Red Hat Network Satellite Server 5.1. In a  
typical operating environment, these components are not exposed to users  
of Satellite Server in a vulnerable manner. These security updates will  
reduce risk in unique Satellite Server environments.  

A denial-of-service flaw was fixed in mod\_perl. (CVE-2007-1349)  

Multiple cross-site scripting flaws were fixed in the image map feature in  
the JFreeChart package. (CVE-2007-6306)  

A flaw which could result in weak encryption was fixed in the  
perl-Crypt-CBC package. (CVE-2006-0898)  

Multiple flaws were fixed in the Apache Tomcat package. (CVE-2005-4838,  
CVE-2006-0254, CVE-2007-1355, CVE-2007-1358, CVE-2007-2449, CVE-2007-5461,  
CVE-2008-0128)  

Users of Red Hat Network Satellite Server 5.1 are advised to upgrade to  
5.1.1, which resolves these issues.

**Affected Products**

*   Red Hat Network Satellite 5.1 (for RHEL Mainframe) 5.1 s390x
*   Red Hat Network Satellite 5.1 (for RHEL Mainframe) 5.1 s390
*   Red Hat Network Satellite 5.1 (for RHEL Server) 5.1 x86\_64
*   Red Hat Network Satellite 5.1 (for RHEL Server) 5.1 i386

**Fixes**

*   BZ - 238401 - CVE-2005-4838 tomcat manager example DoS
*   BZ - 240423 - CVE-2007-1349 mod\_perl PerlRun denial of service
*   BZ - 244803 - CVE-2007-1358 tomcat accept-language xss flaw
*   BZ - 244804 - CVE-2007-2449 tomcat examples jsp XSS
*   BZ - 253166 - CVE-2007-1355 tomcat XSS in samples
*   BZ - 333791 - CVE-2007-5461 Absolute path traversal Apache Tomcat WEBDAV
*   BZ - 421081 - CVE-2007-6306 JFreeChart: XSS vulnerabilities in the image map feature
*   BZ - 429821 - CVE-2008-0128 tomcat5 SSO cookie login information disclosure
*   BZ - 430522 - CVE-2006-0898 perl-Crypt-CBC weaker encryption with some ciphers
*   BZ - 430646 - CVE-2006-0254 tomcat examples XSS
*   BZ - 452461 - CVE-2008-2369 RHN Satellite: information disclosure via manzier.pxt RPC script

**CVEs**

*   CVE-2008-2369
*   CVE-2006-0898
*   CVE-2008-0128
*   CVE-2007-1355
*   CVE-2007-6306
*   CVE-2007-5461
*   CVE-2007-2449
*   CVE-2007-1358
*   CVE-2007-1349
*   CVE-2005-4838
*   CVE-2006-0254

**Red Hat Network Satellite 5.1 (for RHEL Mainframe) 5.1**

SRPM

s390x

s390

**Red Hat Network Satellite 5.1 (for RHEL Server) 5.1**

SRPM

x86\_64

i386

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

CVE-2008-2369: Red Hat Customer Portal - Access to 24x7 support and knowledge

PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI.

**Evolve with confidence.**

We’re on a mission to bring the power of the cloud to more Canadian businesses through design, migration, and 24×7 managed cloud services. All together, in one place.

**A worthwhile journey.**

Done right, your cloud strategy will drive evolution and growth for your business. Our experienced and highly-certified multi-cloud experts will help you design the right public, private or hybrid cloud for your business.

**Keep your data safe.**

We’re trusted by governments and businesses with complex performance, compliance and privacy requirements.

**Planning your cloud transformation can be a complex undertaking. Whether you’re interested in big data, Kubernetes enablement, application modernization or security, Cloud Launchpad will get you there faster.**

**Managed Cloud**

Our enterprise managed cloud services will give you 24×7 peace of mind, with full support to ensure your mission critical data is safe, and your cloud services remain secure, compliant, agile, reliable – and fast.

**Industries**

Our expertise and experience in Finance, Healthcare, Public Sector and Technology allows us to confidently navigate complex regulatory and security requirements. We’ve seen it all, and we know how to handle it.

**Deep qualifications, talent and capabilities:**

**The Carbon60 Difference**

At Carbon60, we’ve led by doing. With deep roots in managed services, and award-winning, standard-setting strategic consulting, we offer end-to-end multi-cloud design, migration and management to help more Canadian companies operate successfully in the cloud. That’s our mission, and we’re proud to be trusted by our customers to do it every day.

![](https://www.carbon60.com/wp-content/uploads/2021/10/alternate-portrait-headshot-768x787-3.webp)

**Related resources and insights**

Tag

#kubernetes