SB2016122102 - Multiple vulnerabilities in Red Hat Satellite
Published: December 21, 2016
Security Bulletin ID
SB2016122102
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2016-9593)
The vulnerability allows a local attacker to obtain potentially sensitive information.
The vulnerability exists in the foreman-debug's logging due to improper security restrictions. A local attacker with access to the foreman log file can view passwords that allow to access those systems.
2) Improper access control (CVE-ID: CVE-2016-9595)
The vulnerability allows a local attacker to launch a symlink attack on the target system.The weakness exists in the katello-debug due to insecure usage of temporary files by certain scripts and log files. A local attacker can create a symbolic link from a temporary file to various files on the system, bypass local access protections to overwrite the contents of arbitrary files.
Remediation
Install update from vendor's website.