RHSA-2014:0025
Vulnerability from csaf_redhat
Published
2014-01-14 19:16
Modified
2024-11-22 07:16
Summary
Red Hat Security Advisory: cfme security, bug fix, and enhancement update
Notes
Topic
Updated cfme packages that fix one security issue, several bugs, and add
various enhancements are now available for Red Hat CloudForms 3.0.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Red Hat CloudForms Management Engine delivers the insight, control, and
automation enterprises need to address the challenges of managing virtual
environments, which are far more complex than physical ones. This
technology enables enterprises with existing virtual infrastructures
to improve visibility and control, and those just starting virtualization
deployments to build and operate a well-managed virtual infrastructure.
It was found that sending a GET request for a destructive action could
bypass the Ruby on Rails protect_from_forgery mechanism. A remote attacker
could use this flaw to perform Cross-Site Request Forgery (CSRF) attacks
against CloudForms applications. (CVE-2013-6443)
This issue was discovered by Martin Povolný of Red Hat.
This update fixes several bugs and adds multiple enhancements.
Documentation for these changes will be available shortly from the Red Hat
CloudForms 3.0 Management Engine 5.2 Technical Notes linked to in the
References section.
All users of Red Hat CloudForms are advised to upgrade to these updated
packages, which contain backported patches to correct these issues and add
these enhancements.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated cfme packages that fix one security issue, several bugs, and add\nvarious enhancements are now available for Red Hat CloudForms 3.0.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat CloudForms Management Engine delivers the insight, control, and\nautomation enterprises need to address the challenges of managing virtual\nenvironments, which are far more complex than physical ones. This\ntechnology enables enterprises with existing virtual infrastructures\nto improve visibility and control, and those just starting virtualization\ndeployments to build and operate a well-managed virtual infrastructure.\n\nIt was found that sending a GET request for a destructive action could\nbypass the Ruby on Rails protect_from_forgery mechanism. A remote attacker\ncould use this flaw to perform Cross-Site Request Forgery (CSRF) attacks\nagainst CloudForms applications. (CVE-2013-6443)\n\nThis issue was discovered by Martin Povoln\u00fd of Red Hat.\n\nThis update fixes several bugs and adds multiple enhancements.\nDocumentation for these changes will be available shortly from the Red Hat\nCloudForms 3.0 Management Engine 5.2 Technical Notes linked to in the\nReferences section.\n\nAll users of Red Hat CloudForms are advised to upgrade to these updated\npackages, which contain backported patches to correct these issues and add\nthese enhancements.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0025",
"url": "https://access.redhat.com/errata/RHSA-2014:0025"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html",
"url": "https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html"
},
{
"category": "external",
"summary": "1044178",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044178"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0025.json"
}
],
"title": "Red Hat Security Advisory: cfme security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-22T07:16:09+00:00",
"generator": {
"date": "2024-11-22T07:16:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:0025",
"initial_release_date": "2014-01-14T19:16:52+00:00",
"revision_history": [
{
"date": "2014-01-14T19:16:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-01-14T19:16:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T07:16:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Management Engine",
"product": {
"name": "Management Engine",
"product_id": "6Server-CFME",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"product": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"product_id": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activerecord@3.2.13-4.el6cf?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"product": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"product_id": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-linux_admin@0.5.6-1.el6cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.2.1.8-1.el6cf.src",
"product": {
"name": "cfme-0:5.2.1.8-1.el6cf.src",
"product_id": "cfme-0:5.2.1.8-1.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.2.1.8-1.el6cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"product": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"product_id": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activerecord@3.2.13-4.el6cf?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"product": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"product_id": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-linux_admin@0.5.6-1.el6cf?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-lib@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-debuginfo@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mingw32-cfme-host@5.2.1.8-1.el6cf?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.2.1.8-1.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src"
},
"product_reference": "cfme-0:5.2.1.8-1.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch"
},
"product_reference": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src"
},
"product_reference": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch"
},
"product_reference": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
},
"product_reference": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Martin Povoln\u00fd"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-6443",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2013-12-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1044178"
}
],
"notes": [
{
"category": "description",
"text": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CFME: GET request CSRF vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6443"
},
{
"category": "external",
"summary": "RHBZ#1044178",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044178"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6443",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6443"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6443",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6443"
}
],
"release_date": "2014-01-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-14T19:16:52+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0025"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CFME: GET request CSRF vulnerability"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.