Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2300 Critical: redhat-certification security update 10 August 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: redhat-certification Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-10870 CVE-2018-10869 CVE-2018-10864 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:2373 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: redhat-certification security update Advisory ID: RHSA-2018:2373-01 Product: Red Hat Certification Advisory URL: https://access.redhat.com/errata/RHSA-2018:2373 Issue date: 2018-08-09 CVE Names: CVE-2018-10864 CVE-2018-10869 CVE-2018-10870 ===================================================================== 1. Summary: An update for redhat-certification is now available for Red Hat Certification for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Certification for Red Hat Enterprise Linux 7 - noarch 3. Description: The redhat-certification package provides partners with a unified web-based user interface to certify their products for use on Red Hat Infrastructure. It can currently be used in the latest releases of Red Hat Certified Cloud and Service Provider Certification, Red Hat OpenStack Certification and Red Hat Hardware Certification Programs. Security Fix(es): * redhat-certification: rhcertStore.py:__saveResultsFile allows to write any file (CVE-2018-10870) * redhat-certification: /download allows to download any file (CVE-2018-10869) * redhat-certification: resource consumption in DocumentBase:loadFiltered (CVE-2018-10864) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. These issues were discovered by Riccardo Schirone (Red Hat Product Security). 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1593627 - CVE-2018-10864 redhat-certification: resource consumption in DocumentBase:loadFiltered 1593780 - CVE-2018-10869 redhat-certification: /download allows to download any file 1593803 - CVE-2018-10870 redhat-certification: rhcertStore.py:__saveResultsFile allows to write any file 6. Package List: Red Hat Certification for Red Hat Enterprise Linux 7: Source: redhat-certification-5.16-20180809.el7.src.rpm redhat-certification-hardware-5.16-20180809.1.el7.src.rpm redhat-certification-hardware-preview-5.16-20180809.1.el7.src.rpm noarch: redhat-certification-5.16-20180809.el7.noarch.rpm redhat-certification-backend-5.16-20180809.el7.noarch.rpm redhat-certification-baremetal-5.16-20180809.el7.noarch.rpm redhat-certification-cloud-5.16-20180809.el7.noarch.rpm redhat-certification-hardware-5.16-20180809.1.el7.noarch.rpm redhat-certification-hardware-preview-5.16-20180809.1.el7.noarch.rpm redhat-certification-openstack-5.16-20180809.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-10864 https://access.redhat.com/security/cve/CVE-2018-10869 https://access.redhat.com/security/cve/CVE-2018-10870 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW2x4fNzjgjWX9erEAQhXTw//R2J4x2wC6NjA5bGMFDBs+c8ghQDtrZJT Bln/a22+X+XCKDoJB68JJb/+uRtq/4jX5ad2DsB05N2/TEg0YnENgR+MZcWUHwLb luphTbdA5nZPfaEGQ+pz8QM2tKrI1YbCgCI2Ehx4i6LVSyD5KQ2ZUf5ultX6dHmI bZLX1uRltw/EifMJ4w28zmHljmtf0zFD6Mt8c/IoHKCgrYDgwXdpYL4hbyzWCBWK FU6IAn51rm7w/dIdXAvhPsX8wP0y3RYOC76llqA+9XkOqYVlXoRDhEvQ5aZn8u9o KqSF74uikRhW03MgIh3KjKn5PbJMhJ02J6Mzc9bqepfxjl2ayrAgK4lJAvvgITes m3J8VYZ0QatICOdGgbBxIlJIamLbyVFmnDllxuDLe/W8fJbfY+qrwUD7tqweT/cg /fahESn2jWQ3M0HKp7hbsG7VppKp1qdPsCOzccIdVLb2oJ2CMZHFZKv5Lz+eoeaz vHLTfVzajxhtxgUIE9rjRkETm76Tz5aEUMr+BsCC/f2FMdxu8cGWx3cfoAyxEokj N9nBDpuD+VarTpxzN6sPnKe3OH1xlrvr1pj8LKRkNSGn15v6O4vjgmMzGbEBABSC ibqCikJB/LnNBYhomKsqS7+dTOFWKoOS6NbNk+0gR7a6Ouz35KzbgOgefm4Qnn42 EMg5Nfj+fzw= =TWZe - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW2zYEmaOgq3Tt24GAQiwbQ/+PEPJNB8CSWUFSJ4TTl87ZOpdT8tbd57J DLo1yAxcmSTjxXXBZIq75gndxbRehv1Tq60Ys5SGwQ6/bnI2/+CoQBtfaSe1bR8R hVTzLnq0pcbuPtFbyrg3/iolu20vkgLIGlFE55CCyuKU05pTE4+Aozg423GpsLYe nbKXizQV6ojxMdr390aCbD+pGgm71nCHTNM2Hl0TLnKI4iJn1GOOokJMndbqb+vf UboRJwMFRzP0nCQL+5uzIwPyVqGiQ49NAne5u9mfAc7uAZRwwSAh9+2lcZcPhCYA VBtIGRZDRaBQtB20DcGLX9kFym8bXQLd1G0STBCpqOIU3dh/xihzsteg+jhk4thw HhyG2pu3nL3HnflEr/Kmbx4qI1TnJ59GAR08OcU/JO5tI/kOV3yjXyL4cem95jjJ w5jV8FkxjxDN+0H8pH202l9Akfq/cusz9sesORqCcJldVGBzplvf7bkT36BkrHei Q0XeJ252UHoV68klkfydZr4jXE3HP35THLDoIavidHh68xV3zQmeJmPxHmDfC42D VMPtqm7+FRyLoERHoMaFa39LWBiAwZnm01lRIvjD52ngkmYSfFDR3qZm0Q6RSPr0 dPtj+0EkREBXloDX2s53eslWUxm0of4ivbqZMZGlAcdt+YxYe1vIPt1ruUjnEVNK TJj9mkwB3nY= =0HWO -----END PGP SIGNATURE-----