RHEL 6 : Satellite Server (RHSA-2015:0033)

low Nessus Plugin ID 80505

語系：

概要

遠端 Red Hat 主機缺少一個或多個安全性更新。

說明

現已提供 Red Hat Satellite 5.7.0。現已提供適用於 Red Hat Satellite 5 的更新版套件，可修正兩個安全性問題、數個錯誤，並新增多種增強功能。

Red Hat 產品安全性團隊已將此更新評等為具有中等安全性影響。可針對每個弱點從〈參照〉一節的 CVE 連結中取得常見弱點評分系統 (CVSS) 的基本分數，其中包含有關嚴重性評等的詳細資訊。

組織對伺服器維護和套件部署需要完全控制及隱私權者，Red Hat Satellite 為其提供一項解決方案。此解決方案可讓組織利用 Red Hat Network (RHN) 的優勢，無需為伺服器或其他用戶端系統提供公共網際網路存取。

此更新引入 Red Hat Satellite 5.7.0。如需此版本新附的完整功能清單，請參閱以下版本資訊文件：

https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/5.7/

注意：Red Hat Satellite 5.7 和 Red Hat Satellite Proxy 5.7 可安裝於 Red Hat Enterprise Linux Server 6 上。如需完整詳情 (包括支援的架構組合)，可參閱 Red Hat Satellite 5.7 安裝指南。

此更新可修正下列安全性問題：

XML 資料處理在透過 REST API 傳遞至 Satellite 時，發現多個已存跨網站指令碼 (XSS) 瑕疵。經過驗證的遠端攻擊者可傳送特製的要求給 Satellite，並在儲存的資料中嵌入 HTML 內容，從而在使用者用於瀏覽該資料的網頁中插入惡意內容。(CVE-2014-7811)

在 System Groups 欄位中發現一個已存跨網站指令碼 (XSS) 瑕疵。經過驗證的遠端攻擊者可傳送特製的要求給 Satellite，並在儲存的資料中嵌入 HTML 內容，從而在使用者用於瀏覽該資料的網頁中插入惡意內容。(CVE-2014-7812)

Red Hat 要感謝 Mickaël Gallier 報告這些問題。

建議所有 Red Hat Satellite 使用者皆安裝這個新發佈的版本。

解決方案

更新受影響的套件。

另請參閱

https://access.redhat.com/errata/RHSA-2015:0033

https://access.redhat.com/security/cve/cve-2014-7811

https://access.redhat.com/security/cve/cve-2014-7812

Plugin 詳細資訊

嚴重性: Low

ID: 80505

檔案名稱: redhat-RHSA-2015-0033.nasl

版本: 1.13

類型: local

代理程式: unix

系列: Red Hat Local Security Checks

已發布: 2015/1/14

已更新: 2021/2/5

支援的感應器: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

風險資訊

VPR

風險因素: Low

分數: 3.0

CVSS v2

風險因素: Low

基本分數: 3.5

時間分數: 3

媒介: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

弱點資訊

CPE: p-cpe:/a:redhat:enterprise_linux:jakarta-commons-validator, p-cpe:/a:redhat:enterprise_linux:jakarta-oro, p-cpe:/a:redhat:enterprise_linux:jakarta-taglibs-standard, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-devel, p-cpe:/a:redhat:enterprise_linux:javassist, p-cpe:/a:redhat:enterprise_linux:jboss-javaee-poms, p-cpe:/a:redhat:enterprise_linux:jboss-transaction-1.0.1-api, p-cpe:/a:redhat:enterprise_linux:jcommon, p-cpe:/a:redhat:enterprise_linux:jdom, p-cpe:/a:redhat:enterprise_linux:jfreechart, p-cpe:/a:redhat:enterprise_linux:jpam, p-cpe:/a:redhat:enterprise_linux:jquery-timepicker, p-cpe:/a:redhat:enterprise_linux:messagequeue, p-cpe:/a:redhat:enterprise_linux:nocpulseplugins, p-cpe:/a:redhat:enterprise_linux:nocpulseplugins-oracle, p-cpe:/a:redhat:enterprise_linux:npalert, p-cpe:/a:redhat:enterprise_linux:progagogo, p-cpe:/a:redhat:enterprise_linux:pyyaml, p-cpe:/a:redhat:enterprise_linux:snmpalerts, p-cpe:/a:redhat:enterprise_linux:satconfig-bootstrap, p-cpe:/a:redhat:enterprise_linux:satconfig-bootstrap-server, p-cpe:/a:redhat:enterprise_linux:satconfig-cluster, p-cpe:/a:redhat:enterprise_linux:satconfig-general, p-cpe:/a:redhat:enterprise_linux:satconfig-generator, p-cpe:/a:redhat:enterprise_linux:satconfig-installer, p-cpe:/a:redhat:enterprise_linux:satconfig-spread, p-cpe:/a:redhat:enterprise_linux:sputlite-client, p-cpe:/a:redhat:enterprise_linux:sputlite-server, p-cpe:/a:redhat:enterprise_linux:ace-editor, p-cpe:/a:redhat:enterprise_linux:antlr, p-cpe:/a:redhat:enterprise_linux:apache-commons-beanutils, p-cpe:/a:redhat:enterprise_linux:apache-commons-cli, p-cpe:/a:redhat:enterprise_linux:bootstrap, p-cpe:/a:redhat:enterprise_linux:bootstrap-datepicker, p-cpe:/a:redhat:enterprise_linux:c3p0, p-cpe:/a:redhat:enterprise_linux:cglib, p-cpe:/a:redhat:enterprise_linux:cobbler, p-cpe:/a:redhat:enterprise_linux:cobbler-loaders, p-cpe:/a:redhat:enterprise_linux:concurrent, p-cpe:/a:redhat:enterprise_linux:cx_oracle, p-cpe:/a:redhat:enterprise_linux:dojo, p-cpe:/a:redhat:enterprise_linux:dom4j, p-cpe:/a:redhat:enterprise_linux:dwr, p-cpe:/a:redhat:enterprise_linux:editarea, p-cpe:/a:redhat:enterprise_linux:jquery-ui, p-cpe:/a:redhat:enterprise_linux:libapreq2, p-cpe:/a:redhat:enterprise_linux:libgsasl, p-cpe:/a:redhat:enterprise_linux:libntlm, p-cpe:/a:redhat:enterprise_linux:libreadline-java, p-cpe:/a:redhat:enterprise_linux:libyaml, p-cpe:/a:redhat:enterprise_linux:momentjs, p-cpe:/a:redhat:enterprise_linux:nocpulse-common, p-cpe:/a:redhat:enterprise_linux:nocpulse-db-perl, p-cpe:/a:redhat:enterprise_linux:nutch, p-cpe:/a:redhat:enterprise_linux:objectweb-asm, p-cpe:/a:redhat:enterprise_linux:oracle-config, p-cpe:/a:redhat:enterprise_linux:oracle-instantclient-basic, p-cpe:/a:redhat:enterprise_linux:oracle-instantclient-selinux, p-cpe:/a:redhat:enterprise_linux:oracle-instantclient-sqlplus, p-cpe:/a:redhat:enterprise_linux:oracle-instantclient-sqlplus-selinux, p-cpe:/a:redhat:enterprise_linux:oracle-nofcontext-selinux, p-cpe:/a:redhat:enterprise_linux:osa-dispatcher, p-cpe:/a:redhat:enterprise_linux:osa-dispatcher-selinux, p-cpe:/a:redhat:enterprise_linux:oscache, p-cpe:/a:redhat:enterprise_linux:patternfly1, p-cpe:/a:redhat:enterprise_linux:perl-apache-dbi, p-cpe:/a:redhat:enterprise_linux:perl-berkeleydb, p-cpe:/a:redhat:enterprise_linux:perl-cache-cache, p-cpe:/a:redhat:enterprise_linux:perl-class-methodmaker, p-cpe:/a:redhat:enterprise_linux:perl-class-singleton, p-cpe:/a:redhat:enterprise_linux:perl-config-inifiles, p-cpe:/a:redhat:enterprise_linux:perl-convert-binhex, p-cpe:/a:redhat:enterprise_linux:perl-crypt-des, p-cpe:/a:redhat:enterprise_linux:perl-crypt-generatepassword, p-cpe:/a:redhat:enterprise_linux:eventreceivers, p-cpe:/a:redhat:enterprise_linux:font-awesome, p-cpe:/a:redhat:enterprise_linux:glassfish-jsf, p-cpe:/a:redhat:enterprise_linux:hibernate3, p-cpe:/a:redhat:enterprise_linux:jabberd, p-cpe:/a:redhat:enterprise_linux:jabberpy, p-cpe:/a:redhat:enterprise_linux:jakarta-commons-chain, p-cpe:/a:redhat:enterprise_linux:jakarta-commons-codec, p-cpe:/a:redhat:enterprise_linux:jakarta-commons-digester, p-cpe:/a:redhat:enterprise_linux:jakarta-commons-el, p-cpe:/a:redhat:enterprise_linux:jakarta-commons-fileupload, p-cpe:/a:redhat:enterprise_linux:jakarta-commons-io, p-cpe:/a:redhat:enterprise_linux:jakarta-commons-lang, p-cpe:/a:redhat:enterprise_linux:jakarta-commons-logging, p-cpe:/a:redhat:enterprise_linux:jakarta-commons-logging-jboss, p-cpe:/a:redhat:enterprise_linux:jakarta-commons-parent, p-cpe:/a:redhat:enterprise_linux:perl-email-date-format, p-cpe:/a:redhat:enterprise_linux:perl-filesys-df, p-cpe:/a:redhat:enterprise_linux:perl-html-tableextract, p-cpe:/a:redhat:enterprise_linux:perl-io-stringy, p-cpe:/a:redhat:enterprise_linux:perl-ipc-sharelite, p-cpe:/a:redhat:enterprise_linux:perl-list-moreutils, p-cpe:/a:redhat:enterprise_linux:perl-mime-lite, p-cpe:/a:redhat:enterprise_linux:perl-mime-types, p-cpe:/a:redhat:enterprise_linux:perl-mime-tools, p-cpe:/a:redhat:enterprise_linux:perl-mail-rfc822-address, p-cpe:/a:redhat:enterprise_linux:perl-nocpulse-clac, p-cpe:/a:redhat:enterprise_linux:perl-nocpulse-debug, p-cpe:/a:redhat:enterprise_linux:perl-nocpulse-gritch, p-cpe:/a:redhat:enterprise_linux:perl-nocpulse-object, p-cpe:/a:redhat:enterprise_linux:perl-nocpulse-oracledb, p-cpe:/a:redhat:enterprise_linux:perl-nocpulse-persistentconnection, p-cpe:/a:redhat:enterprise_linux:perl-nocpulse-probe, p-cpe:/a:redhat:enterprise_linux:perl-nocpulse-probe-oracle, p-cpe:/a:redhat:enterprise_linux:perl-nocpulse-processpool, p-cpe:/a:redhat:enterprise_linux:perl-nocpulse-scheduler, p-cpe:/a:redhat:enterprise_linux:perl-nocpulse-setid, p-cpe:/a:redhat:enterprise_linux:perl-nocpulse-utils, p-cpe:/a:redhat:enterprise_linux:perl-net-inet6glue, p-cpe:/a:redhat:enterprise_linux:perl-net-ipv4addr, p-cpe:/a:redhat:enterprise_linux:perl-net-snmp, p-cpe:/a:redhat:enterprise_linux:perl-params-validate, p-cpe:/a:redhat:enterprise_linux:perl-soap-lite, p-cpe:/a:redhat:enterprise_linux:perl-satcon, p-cpe:/a:redhat:enterprise_linux:perl-termreadkey, p-cpe:/a:redhat:enterprise_linux:perl-xml-generator, p-cpe:/a:redhat:enterprise_linux:perl-libapreq2, p-cpe:/a:redhat:enterprise_linux:postgresql92-postgresql, p-cpe:/a:redhat:enterprise_linux:postgresql92-postgresql-contrib, p-cpe:/a:redhat:enterprise_linux:postgresql92-postgresql-libs, p-cpe:/a:redhat:enterprise_linux:postgresql92-postgresql-pltcl, p-cpe:/a:redhat:enterprise_linux:postgresql92-postgresql-server, p-cpe:/a:redhat:enterprise_linux:postgresql92-postgresql-upgrade, p-cpe:/a:redhat:enterprise_linux:postgresql92-runtime, p-cpe:/a:redhat:enterprise_linux:pwstrength-bootstrap, p-cpe:/a:redhat:enterprise_linux:python-debian, p-cpe:/a:redhat:enterprise_linux:python-gzipstream, p-cpe:/a:redhat:enterprise_linux:python-psycopg2, p-cpe:/a:redhat:enterprise_linux:quartz, p-cpe:/a:redhat:enterprise_linux:quartz-oracle, p-cpe:/a:redhat:enterprise_linux:redstone-xmlrpc, p-cpe:/a:redhat:enterprise_linux:rhn-i18n-guides, p-cpe:/a:redhat:enterprise_linux:rhn-i18n-release-notes, p-cpe:/a:redhat:enterprise_linux:rhn-solaris-bootstrap, p-cpe:/a:redhat:enterprise_linux:rhn_solaris_bootstrap_5_4_1_9, p-cpe:/a:redhat:enterprise_linux:rhnlib, p-cpe:/a:redhat:enterprise_linux:rhnpush, p-cpe:/a:redhat:enterprise_linux:roboto, p-cpe:/a:redhat:enterprise_linux:satellite-branding, p-cpe:/a:redhat:enterprise_linux:satellite-doc-indexes, p-cpe:/a:redhat:enterprise_linux:satellite-repo, p-cpe:/a:redhat:enterprise_linux:satellite-schema, p-cpe:/a:redhat:enterprise_linux:scdb, p-cpe:/a:redhat:enterprise_linux:scl-utils, p-cpe:/a:redhat:enterprise_linux:select2, p-cpe:/a:redhat:enterprise_linux:select2-bootstrap-css, p-cpe:/a:redhat:enterprise_linux:simple-core, p-cpe:/a:redhat:enterprise_linux:sitemesh, p-cpe:/a:redhat:enterprise_linux:spacecmd, p-cpe:/a:redhat:enterprise_linux:spacewalk-admin, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-app, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-applet, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-config-files, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-config-files-common, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-config-files-tool, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-iss, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-iss-export, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-libs, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-package-push-server, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-server, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-sql, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-sql-oracle, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-sql-postgresql, p-cpe:/a:redhat:enterprise_linux:perl-dbd-oracle, p-cpe:/a:redhat:enterprise_linux:perl-datetime, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-tools, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-xml-export-libs, p-cpe:/a:redhat:enterprise_linux:spacewalk-backend-xmlrpc, p-cpe:/a:redhat:enterprise_linux:spacewalk-base, p-cpe:/a:redhat:enterprise_linux:spacewalk-base-minimal, p-cpe:/a:redhat:enterprise_linux:spacewalk-base-minimal-config, p-cpe:/a:redhat:enterprise_linux:spacewalk-certs-tools, p-cpe:/a:redhat:enterprise_linux:spacewalk-common, p-cpe:/a:redhat:enterprise_linux:spacewalk-config, p-cpe:/a:redhat:enterprise_linux:spacewalk-dobby, p-cpe:/a:redhat:enterprise_linux:spacewalk-grail, p-cpe:/a:redhat:enterprise_linux:spacewalk-html, p-cpe:/a:redhat:enterprise_linux:spacewalk-java, p-cpe:/a:redhat:enterprise_linux:spacewalk-java-config, p-cpe:/a:redhat:enterprise_linux:spacewalk-java-lib, p-cpe:/a:redhat:enterprise_linux:spacewalk-java-oracle, p-cpe:/a:redhat:enterprise_linux:spacewalk-java-postgresql, p-cpe:/a:redhat:enterprise_linux:spacewalk-monitoring, p-cpe:/a:redhat:enterprise_linux:spacewalk-monitoring-selinux, p-cpe:/a:redhat:enterprise_linux:spacewalk-oracle, p-cpe:/a:redhat:enterprise_linux:spacewalk-postgresql, p-cpe:/a:redhat:enterprise_linux:spacewalk-pxt, p-cpe:/a:redhat:enterprise_linux:spacewalk-reports, p-cpe:/a:redhat:enterprise_linux:spacewalk-schema, p-cpe:/a:redhat:enterprise_linux:spacewalk-search, p-cpe:/a:redhat:enterprise_linux:spacewalk-selinux, p-cpe:/a:redhat:enterprise_linux:spacewalk-setup, p-cpe:/a:redhat:enterprise_linux:spacewalk-setup-jabberd, p-cpe:/a:redhat:enterprise_linux:spacewalk-setup-postgresql, p-cpe:/a:redhat:enterprise_linux:spacewalk-slf4j, p-cpe:/a:redhat:enterprise_linux:spacewalk-sniglets, p-cpe:/a:redhat:enterprise_linux:spacewalk-ssl-cert-check, p-cpe:/a:redhat:enterprise_linux:spacewalk-taskomatic, p-cpe:/a:redhat:enterprise_linux:spacewalk-utils, p-cpe:/a:redhat:enterprise_linux:ssl_bridge, p-cpe:/a:redhat:enterprise_linux:status_log_acceptor, p-cpe:/a:redhat:enterprise_linux:stringtree-json, p-cpe:/a:redhat:enterprise_linux:struts, p-cpe:/a:redhat:enterprise_linux:struts-core, p-cpe:/a:redhat:enterprise_linux:struts-extras, p-cpe:/a:redhat:enterprise_linux:struts-taglib, p-cpe:/a:redhat:enterprise_linux:tanukiwrapper, p-cpe:/a:redhat:enterprise_linux:tsdb, p-cpe:/a:redhat:enterprise_linux:udns, p-cpe:/a:redhat:enterprise_linux:xalan-j2, cpe:/o:redhat:enterprise_linux:6

必要的 KB 項目: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

可輕鬆利用: No known exploits are available

修補程式發佈日期: 2015/1/13

弱點發布日期: 2015/1/15

參考資訊

CVE: CVE-2014-7811, CVE-2014-7812

BID: 74825, 74829

RHSA: 2015:0033