Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0315 Moderate: rhevm security and bug fix update 27 March 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: rhevm Publisher: Red Hat Operating System: Red Hat Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-0818 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2012-0421.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rhevm security and bug fix update Advisory ID: RHSA-2012:0421-01 Product: Red Hat Enterprise Virtualization Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0421.html Issue date: 2012-03-26 CVE Names: CVE-2012-0818 ===================================================================== 1. Summary: Updated rhevm packages that fix one security issue and various bugs are now available. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEV-M for Servers - x86_64 3. Description: Red Hat Enterprise Virtualization Manager is a visual tool for centrally managing collections of virtual machines running Red Hat Enterprise Linux and Microsoft Windows. These packages also include the Red Hat Enterprise Virtualization Manager REST (Representational State Transfer) API, a set of scriptable commands that give administrators the ability to perform queries and operations on Red Hat Enterprise Virtualization Manager. It was found that RESTEasy was vulnerable to XML External Entity (XXE) attacks. If a remote attacker who is able to access the Red Hat Enterprise Virtualization Manager REST API submitted a request containing an external XML entity to a RESTEasy endpoint, the entity would be resolved, allowing the attacker to read files accessible to the user running the application server. This flaw affected DOM (Document Object Model) Document and JAXB (Java Architecture for XML Binding) input. (CVE-2012-0818) This update also fixes the following bugs: * Previously the REST API was ignoring the "Accept" header. This made it impossible to retrieve detailed information about specific sub-collections, including hosts and disks. The REST API has been updated and now processes the "Accept" header as originally intended. (BZ#771369) * The "start_time" Virtual Machine property was previously always set. This meant that even Virtual Machines that were stopped, had a value for "start_time". An update has been made to ensure that the "start_time" property is only set when the Virtual Machine has been started, and is running. (BZ#772975) * The 'rhevm-setup' script previously only ran successfully on systems with their locale set to 'en_US.UTF-8', 'en_US.utf-8', or 'en_US.utf8'. The script has since been updated to also run successfully in additional locales, including 'ja_JP.UTF-8'. (BZ#784860) * The REST API did not previously validate that all required parameters were provided when enabling power management. The response code returned would also incorrectly indicate the operation had succeeded where mandatory parameters were not supplied. An update has been made to ensure that the power management parameters are validated correctly. (BZ#785744) * Previously no warning or error was issued when the amount of free disk space on a host was low. When no free disk space remained on the host it would become non-responsive with no prior warning. An update has been made to report a warning in the audit log when a host's free disk space is less than 1000 MB, and an error when a host's free disk space is less than 500 MB. (BZ#786132) * When importing Virtual Machines no notification was provided if the MAC address of the network interface card clashed with that of an existing Virtual Machine. Now when this occurs a message is printed to the audit log, highlighting the need for manual intervention. (BZ#795416) * Previously it was not possible to set more, or less, than one value for SpiceSecureChannels using the rhevm-config tool. This meant it was not possible to encrypt all SPICE channels. The rhevm-config tool has been updated and it is now possible to encrypt all SPICE channels, by adding them to the SpiceSecureChannels configuration key. (BZ#784012) All Red Hat Enterprise Virtualization users are advised to upgrade to these updated packages, which address this vulnerability and fix these bugs. Refer to the Solution section for information about installing this update. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Follow the upgrade procedure in the Red Hat Enterprise Virtualization Installation Guide to install these updated packages: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.0/htm l/Installation_Guide/chap-Installation_Guide-Installing_the_RHEV_Manager-Up grades.html 5. Bugs fixed (http://bugzilla.redhat.com/): 785631 - CVE-2012-0818 RESTEasy: XML eXternal Entity (XXE) flaw 6. Package List: RHEV-M for Servers: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEV/SRPMS/rhevm-3.0.3_0001-3.el6.src.rpm x86_64: rhevm-3.0.3_0001-3.el6.x86_64.rpm rhevm-backend-3.0.3_0001-3.el6.x86_64.rpm rhevm-config-3.0.3_0001-3.el6.x86_64.rpm rhevm-dbscripts-3.0.3_0001-3.el6.x86_64.rpm rhevm-debuginfo-3.0.3_0001-3.el6.x86_64.rpm rhevm-genericapi-3.0.3_0001-3.el6.x86_64.rpm rhevm-iso-uploader-3.0.3_0001-3.el6.x86_64.rpm rhevm-jboss-deps-3.0.3_0001-3.el6.x86_64.rpm rhevm-log-collector-3.0.3_0001-3.el6.x86_64.rpm rhevm-notification-service-3.0.3_0001-3.el6.x86_64.rpm rhevm-restapi-3.0.3_0001-3.el6.x86_64.rpm rhevm-setup-3.0.3_0001-3.el6.x86_64.rpm rhevm-tools-common-3.0.3_0001-3.el6.x86_64.rpm rhevm-userportal-3.0.3_0001-3.el6.x86_64.rpm rhevm-webadmin-portal-3.0.3_0001-3.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0818.html https://access.redhat.com/security/updates/classification/#moderate http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.0/html/Installation_Guide/chap-Installation_Guide-Installing_the_RHEV_Manager-Upgrades.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPcIu9XlSAg2UNWIIRAncsAJ9B7Jyw49kqs90XhnHrxk27IeTgzQCfThJK AEh85Iy3CUzWanOyYNwsLnI= =aN3C - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT3ECH+4yVqjM2NGpAQJ72RAAn4xG87a15b2sU/SdHE/SqXKfJtGfwkxY G3L66Na6/JN4d5SvqpykBS4as/97wibjOX4msqWIUDNXGln7ZIdjfyfwvAm8/xvC Jy+bKIKAzfdtEKryPyKYxFJAr6FbDOoJ9Tju5mThiHhdvwRH3TvIdkuStxdvPkpq rpPnh9TdQi+3oCH+/0j8IH6a3gqmiacL8ij5jM4M9dupO2AUQjwx34HYZQI0lNYU j81VSPD92cyybsdtsZJIqr0Vr6o8NU9T44a7li+m8yfU2lkC0mdsR8BXQVC6otHp kAZrq/s5g4GJRTG5R/gGzwWRfMgjf3lNDYoPjT/VrzSXKFBdlaRM0J7x9LFnfkHz foE5ayJEBAbRpx+r1ivy4WBuxKvrCxJfAiOfIh2KFXKAxQ0bWIBT6VGAUYpBb/Na +d4wSEu9iXBvFY594E06kTz/EVHsZpRP8v18/D2UzZvLb7BOxSmYxyx3wCEwnSfP +nqbWsmIsXltdEMLrs6iIo037yixkX+x6nk52TQUSbR1LTwkH89gvPo/EtFhr6qa Bl4dEfyPI4i7p4NkWgtHQk80nNNCo2P7l8uVhnQCWS3P7c9Z6hPKMH8tNH9hrvHK 4VvQOfKiVUWIi8eJ16THaElHE4RblBWE30rNvm9/qyqYMe7LznP66VY7iYwHjRjy R8drwhIA21E= =Q4XF -----END PGP SIGNATURE-----