SB2022042715 - Multiple vulnerabilities in convert2rhel

Description

This security bulletin contains information about 2 vulnerabilities.

1) Insufficiently protected credentials (CVE-ID: CVE-2022-0852)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the convert2rhel passes the Red Hat account password to subscription-manager via the command line. A local user with ability to view process list can obtain the Red Hat account password and gain unauthorized access to the victim's Red Hat account.

2) Information disclosure (CVE-ID: CVE-2022-1662)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in Ansible playbook. A local user can gain unauthorized access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

• https://bugzilla.redhat.com/show_bug.cgi?id=2060129
• https://github.com/oamg/convert2rhel/blob/main/convert2rhel/subscription.py#L156
• https://access.redhat.com/errata/RHSA-2022:1599
• https://github.com/oamg/convert2rhel/releases/tag/v0.26