Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2019-10139 (GCVE-0-2019-10139)
Vulnerability from cvelistv5 – Published: 2019-05-17 15:28 – Updated: 2024-08-04 22:10
VLAI?
EPSS
Summary
During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.
Severity ?
5.6 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ovirt | cockpit-ovirt |
Affected:
n/a
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:10.077Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139"
},
{
"name": "108396",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108396"
},
{
"name": "RHSA-2019:2433",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2433"
},
{
"name": "RHSA-2019:2437",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cockpit-ovirt",
"vendor": "ovirt",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-12T13:06:16",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139"
},
{
"name": "108396",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108396"
},
{
"name": "RHSA-2019:2433",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2433"
},
{
"name": "RHSA-2019:2437",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-10139",
"datePublished": "2019-05-17T15:28:59",
"dateReserved": "2019-03-27T00:00:00",
"dateUpdated": "2024-08-04T22:10:10.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ovirt:cockpit-ovirt:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BDF3EE76-6492-4194-9ABE-DDD6AE1CD8FA\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.\"}, {\"lang\": \"es\", \"value\": \"Durante la implementaci\\u00f3n de HE a trav\\u00e9s de cockpit-ovirt, cockpit-ovirt genera un archivo variable ansible `/ var / lib / ovirt-hosts-configuraci\\u00f3n-cockpit / ansibleVarFileXXXXXX.var` que contiene las contrase\\u00f1as del administrador y del dispositivo como plain-text. En el momento del procedimiento de implementaci\\u00f3n, estos archivos se suprimen.\"}]",
"id": "CVE-2019-10139",
"lastModified": "2024-11-21T04:18:29.917",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}], \"cvssMetricV30\": [{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N\", \"baseScore\": 5.6, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.1, \"impactScore\": 4.0}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 2.1, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.9, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2019-05-17T16:29:03.017",
"references": "[{\"url\": \"http://www.securityfocus.com/bid/108396\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2433\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2437\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/108396\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2433\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2019:2437\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-522\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-311\"}, {\"lang\": \"en\", \"value\": \"CWE-522\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-10139\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2019-05-17T16:29:03.017\",\"lastModified\":\"2024-11-21T04:18:29.917\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.\"},{\"lang\":\"es\",\"value\":\"Durante la implementaci\u00f3n de HE a trav\u00e9s de cockpit-ovirt, cockpit-ovirt genera un archivo variable ansible `/ var / lib / ovirt-hosts-configuraci\u00f3n-cockpit / ansibleVarFileXXXXXX.var` que contiene las contrase\u00f1as del administrador y del dispositivo como plain-text. En el momento del procedimiento de implementaci\u00f3n, estos archivos se suprimen.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV30\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":5.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.1,\"impactScore\":4.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":2.1,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-311\"},{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ovirt:cockpit-ovirt:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BDF3EE76-6492-4194-9ABE-DDD6AE1CD8FA\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/108396\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2433\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2437\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/108396\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2433\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2019:2437\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]}]}}"
}
}
FKIE_CVE-2019-10139
Vulnerability from fkie_nvd - Published: 2019-05-17 16:29 - Updated: 2024-11-21 04:18
Severity ?
Summary
During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | http://www.securityfocus.com/bid/108396 | Third Party Advisory, VDB Entry | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2019:2433 | Third Party Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2019:2437 | Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/108396 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2019:2433 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2019:2437 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139 | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ovirt | cockpit-ovirt | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ovirt:cockpit-ovirt:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BDF3EE76-6492-4194-9ABE-DDD6AE1CD8FA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted."
},
{
"lang": "es",
"value": "Durante la implementaci\u00f3n de HE a trav\u00e9s de cockpit-ovirt, cockpit-ovirt genera un archivo variable ansible `/ var / lib / ovirt-hosts-configuraci\u00f3n-cockpit / ansibleVarFileXXXXXX.var` que contiene las contrase\u00f1as del administrador y del dispositivo como plain-text. En el momento del procedimiento de implementaci\u00f3n, estos archivos se suprimen."
}
],
"id": "CVE-2019-10139",
"lastModified": "2024-11-21T04:18:29.917",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.1,
"impactScore": 4.0,
"source": "secalert@redhat.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-17T16:29:03.017",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/108396"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2433"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/108396"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2433"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-311"
},
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
RHSA-2019_2433
Vulnerability from csaf_redhat - Published: 2019-08-12 11:56 - Updated: 2024-11-15 03:13Summary
Red Hat Security Advisory: cockpit-ovirt security, bug fix, and enhancement update
Notes
Topic
An update for cockpit-ovirt is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Cockpit is a Linux system adminstration tool with a web UI, easy setup, and minimal system footprint at runtime. When installed on hosts in Red Hat Virtualization, it provides monitoring and management functions beyond those available in the Administration Portal. Cockpit is installed by default on Red Hat Virtualization Host (RHVH).
The following packages have been upgraded to a later upstream version: cockpit-ovirt (0.13.5). (BZ#1705911, BZ#1711192, BZ#1719317, BZ#1723322)
Security Fix(es):
* cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment (CVE-2019-10139)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* In this release, the directory /var/lib/ovirt-hosted-engine-setup/cockpit is created with read permissions only for user 'root'. Non 'root' users cannot view this directory. (BZ#1723322)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for cockpit-ovirt is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Cockpit is a Linux system adminstration tool with a web UI, easy setup, and minimal system footprint at runtime. When installed on hosts in Red Hat Virtualization, it provides monitoring and management functions beyond those available in the Administration Portal. Cockpit is installed by default on Red Hat Virtualization Host (RHVH).\n\nThe following packages have been upgraded to a later upstream version: cockpit-ovirt (0.13.5). (BZ#1705911, BZ#1711192, BZ#1719317, BZ#1723322)\n\nSecurity Fix(es):\n\n* cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment (CVE-2019-10139)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* In this release, the directory /var/lib/ovirt-hosted-engine-setup/cockpit is created with read permissions only for user \u0027root\u0027. Non \u0027root\u0027 users cannot view this directory. (BZ#1723322)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2433",
"url": "https://access.redhat.com/errata/RHSA-2019:2433"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1705911",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1705911"
},
{
"category": "external",
"summary": "1709829",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1709829"
},
{
"category": "external",
"summary": "1709938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1709938"
},
{
"category": "external",
"summary": "1719317",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1719317"
},
{
"category": "external",
"summary": "1719327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1719327"
},
{
"category": "external",
"summary": "1723322",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1723322"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2433.json"
}
],
"title": "Red Hat Security Advisory: cockpit-ovirt security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-15T03:13:05+00:00",
"generator": {
"date": "2024-11-15T03:13:05+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:2433",
"initial_release_date": "2019-08-12T11:56:21+00:00",
"revision_history": [
{
"date": "2019-08-12T11:56:21+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-12T11:56:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T03:13:05+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product": {
"name": "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "7Server-RHEV-4-Agents-7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
}
}
},
{
"category": "product_name",
"name": "RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product": {
"name": "RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
}
}
}
],
"category": "product_family",
"name": "Red Hat Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "cockpit-ovirt-0:0.13.5-1.el7ev.src",
"product": {
"name": "cockpit-ovirt-0:0.13.5-1.el7ev.src",
"product_id": "cockpit-ovirt-0:0.13.5-1.el7ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cockpit-ovirt@0.13.5-1.el7ev?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"product": {
"name": "cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"product_id": "cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cockpit-ovirt-dashboard@0.13.5-1.el7ev?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cockpit-ovirt-0:0.13.5-1.el7ev.src as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "7Server-RHEV-4-Agents-7:cockpit-ovirt-0:0.13.5-1.el7ev.src"
},
"product_reference": "cockpit-ovirt-0:0.13.5-1.el7ev.src",
"relates_to_product_reference": "7Server-RHEV-4-Agents-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "7Server-RHEV-4-Agents-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch"
},
"product_reference": "cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-Agents-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cockpit-ovirt-0:0.13.5-1.el7ev.src as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-0:0.13.5-1.el7ev.src"
},
"product_reference": "cockpit-ovirt-0:0.13.5-1.el7ev.src",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch"
},
"product_reference": "cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-10139",
"cwe": {
"id": "CWE-522",
"name": "Insufficiently Protected Credentials"
},
"discovery_date": "2019-05-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1709829"
}
],
"notes": [
{
"category": "description",
"text": "During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Agents-7:cockpit-ovirt-0:0.13.5-1.el7ev.src",
"7Server-RHEV-4-Agents-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-0:0.13.5-1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10139"
},
{
"category": "external",
"summary": "RHBZ#1709829",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1709829"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10139",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10139"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10139",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10139"
}
],
"release_date": "2019-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:21+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Agents-7:cockpit-ovirt-0:0.13.5-1.el7ev.src",
"7Server-RHEV-4-Agents-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-0:0.13.5-1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2433"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Agents-7:cockpit-ovirt-0:0.13.5-1.el7ev.src",
"7Server-RHEV-4-Agents-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-0:0.13.5-1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment"
}
]
}
RHSA-2019:2433
Vulnerability from csaf_redhat - Published: 2019-08-12 11:56 - Updated: 2025-11-21 18:09Summary
Red Hat Security Advisory: cockpit-ovirt security, bug fix, and enhancement update
Notes
Topic
An update for cockpit-ovirt is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Cockpit is a Linux system adminstration tool with a web UI, easy setup, and minimal system footprint at runtime. When installed on hosts in Red Hat Virtualization, it provides monitoring and management functions beyond those available in the Administration Portal. Cockpit is installed by default on Red Hat Virtualization Host (RHVH).
The following packages have been upgraded to a later upstream version: cockpit-ovirt (0.13.5). (BZ#1705911, BZ#1711192, BZ#1719317, BZ#1723322)
Security Fix(es):
* cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment (CVE-2019-10139)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* In this release, the directory /var/lib/ovirt-hosted-engine-setup/cockpit is created with read permissions only for user 'root'. Non 'root' users cannot view this directory. (BZ#1723322)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for cockpit-ovirt is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Cockpit is a Linux system adminstration tool with a web UI, easy setup, and minimal system footprint at runtime. When installed on hosts in Red Hat Virtualization, it provides monitoring and management functions beyond those available in the Administration Portal. Cockpit is installed by default on Red Hat Virtualization Host (RHVH).\n\nThe following packages have been upgraded to a later upstream version: cockpit-ovirt (0.13.5). (BZ#1705911, BZ#1711192, BZ#1719317, BZ#1723322)\n\nSecurity Fix(es):\n\n* cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment (CVE-2019-10139)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* In this release, the directory /var/lib/ovirt-hosted-engine-setup/cockpit is created with read permissions only for user \u0027root\u0027. Non \u0027root\u0027 users cannot view this directory. (BZ#1723322)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2433",
"url": "https://access.redhat.com/errata/RHSA-2019:2433"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1705911",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1705911"
},
{
"category": "external",
"summary": "1709829",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1709829"
},
{
"category": "external",
"summary": "1709938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1709938"
},
{
"category": "external",
"summary": "1719317",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1719317"
},
{
"category": "external",
"summary": "1719327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1719327"
},
{
"category": "external",
"summary": "1723322",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1723322"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2433.json"
}
],
"title": "Red Hat Security Advisory: cockpit-ovirt security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2025-11-21T18:09:44+00:00",
"generator": {
"date": "2025-11-21T18:09:44+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2019:2433",
"initial_release_date": "2019-08-12T11:56:21+00:00",
"revision_history": [
{
"date": "2019-08-12T11:56:21+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-12T11:56:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:09:44+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product": {
"name": "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "7Server-RHEV-4-Agents-7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
}
}
},
{
"category": "product_name",
"name": "RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product": {
"name": "RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
}
}
}
],
"category": "product_family",
"name": "Red Hat Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "cockpit-ovirt-0:0.13.5-1.el7ev.src",
"product": {
"name": "cockpit-ovirt-0:0.13.5-1.el7ev.src",
"product_id": "cockpit-ovirt-0:0.13.5-1.el7ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cockpit-ovirt@0.13.5-1.el7ev?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"product": {
"name": "cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"product_id": "cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cockpit-ovirt-dashboard@0.13.5-1.el7ev?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cockpit-ovirt-0:0.13.5-1.el7ev.src as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "7Server-RHEV-4-Agents-7:cockpit-ovirt-0:0.13.5-1.el7ev.src"
},
"product_reference": "cockpit-ovirt-0:0.13.5-1.el7ev.src",
"relates_to_product_reference": "7Server-RHEV-4-Agents-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "7Server-RHEV-4-Agents-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch"
},
"product_reference": "cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-Agents-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cockpit-ovirt-0:0.13.5-1.el7ev.src as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-0:0.13.5-1.el7ev.src"
},
"product_reference": "cockpit-ovirt-0:0.13.5-1.el7ev.src",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch"
},
"product_reference": "cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-10139",
"cwe": {
"id": "CWE-522",
"name": "Insufficiently Protected Credentials"
},
"discovery_date": "2019-05-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1709829"
}
],
"notes": [
{
"category": "description",
"text": "During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Agents-7:cockpit-ovirt-0:0.13.5-1.el7ev.src",
"7Server-RHEV-4-Agents-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-0:0.13.5-1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10139"
},
{
"category": "external",
"summary": "RHBZ#1709829",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1709829"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10139",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10139"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10139",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10139"
}
],
"release_date": "2019-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:21+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Agents-7:cockpit-ovirt-0:0.13.5-1.el7ev.src",
"7Server-RHEV-4-Agents-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-0:0.13.5-1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2433"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Agents-7:cockpit-ovirt-0:0.13.5-1.el7ev.src",
"7Server-RHEV-4-Agents-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-0:0.13.5-1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:cockpit-ovirt-dashboard-0:0.13.5-1.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment"
}
]
}
RHSA-2019_2437
Vulnerability from csaf_redhat - Published: 2019-08-12 11:56 - Updated: 2024-11-15 04:09Summary
Red Hat Security Advisory: Red Hat Virtualization security update
Notes
Topic
An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
The following packages have been upgraded to a later upstream version: imgbased (1.1.9), ovirt-node-ng (4.3.5), redhat-release-virtualization-host (4.3.5), redhat-virtualization-host (4.3.5). (BZ#1669357, BZ#1669365, BZ#1684986, BZ#1711193, BZ#1717250, BZ#1726917)
Security Fix(es):
* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)
* rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled (CVE-2018-16881)
* edk2: stack overflow in XHCI causing denial of service (CVE-2019-0161)
* openssl: 0-byte record padding oracle (CVE-2019-1559)
* cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment (CVE-2019-10139)
* sssd: improper implementation of GPOs due to too restrictive permissions (CVE-2018-16838)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host\u0027s resources and performing administrative tasks.\n\nThe following packages have been upgraded to a later upstream version: imgbased (1.1.9), ovirt-node-ng (4.3.5), redhat-release-virtualization-host (4.3.5), redhat-virtualization-host (4.3.5). (BZ#1669357, BZ#1669365, BZ#1684986, BZ#1711193, BZ#1717250, BZ#1726917)\n\nSecurity Fix(es):\n\n* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)\n\n* rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled (CVE-2018-16881)\n\n* edk2: stack overflow in XHCI causing denial of service (CVE-2019-0161)\n\n* openssl: 0-byte record padding oracle (CVE-2019-1559)\n\n* cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment (CVE-2019-10139)\n\n* sssd: improper implementation of GPOs due to too restrictive permissions (CVE-2018-16838)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2437",
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1640820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1640820"
},
{
"category": "external",
"summary": "1658366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1658366"
},
{
"category": "external",
"summary": "1683804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1683804"
},
{
"category": "external",
"summary": "1687920",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1687920"
},
{
"category": "external",
"summary": "1694065",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694065"
},
{
"category": "external",
"summary": "1702223",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1702223"
},
{
"category": "external",
"summary": "1709829",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1709829"
},
{
"category": "external",
"summary": "1718388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1718388"
},
{
"category": "external",
"summary": "1720156",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720156"
},
{
"category": "external",
"summary": "1720160",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720160"
},
{
"category": "external",
"summary": "1720310",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720310"
},
{
"category": "external",
"summary": "1720434",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720434"
},
{
"category": "external",
"summary": "1720435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720435"
},
{
"category": "external",
"summary": "1720436",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720436"
},
{
"category": "external",
"summary": "1724044",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1724044"
},
{
"category": "external",
"summary": "1726534",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1726534"
},
{
"category": "external",
"summary": "1727007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1727007"
},
{
"category": "external",
"summary": "1727859",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1727859"
},
{
"category": "external",
"summary": "1728998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1728998"
},
{
"category": "external",
"summary": "1729023",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1729023"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2437.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Virtualization security update",
"tracking": {
"current_release_date": "2024-11-15T04:09:09+00:00",
"generator": {
"date": "2024-11-15T04:09:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:2437",
"initial_release_date": "2019-08-12T11:56:35+00:00",
"revision_history": [
{
"date": "2019-08-12T11:56:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-12T11:56:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T04:09:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product": {
"name": "RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
}
}
},
{
"category": "product_name",
"name": "Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product": {
"name": "Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product_id": "7Server-RHEV-4-Hypervisor-7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
}
}
}
],
"category": "product_family",
"name": "Red Hat Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch",
"product": {
"name": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch",
"product_id": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-virtualization-host-image-update-placeholder@4.3.5-2.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"product": {
"name": "python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"product_id": "python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-imgbased@1.1.9-0.1.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "imgbased-0:1.1.9-0.1.el7ev.noarch",
"product": {
"name": "imgbased-0:1.1.9-0.1.el7ev.noarch",
"product_id": "imgbased-0:1.1.9-0.1.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/imgbased@1.1.9-0.1.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product": {
"name": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product_id": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python2-ovirt-node-ng-nodectl@4.3.5-0.20190717.0.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product": {
"name": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product_id": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-node-ng-nodectl@4.3.5-0.20190717.0.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"product": {
"name": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"product_id": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-virtualization-host-image-update@4.3.5-20190722.0.el7_7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"product": {
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"product_id": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-release-virtualization-host@4.3.5-2.el7ev?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"product": {
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"product_id": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-release-virtualization-host@4.3.5-2.el7ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "imgbased-0:1.1.9-0.1.el7ev.src",
"product": {
"name": "imgbased-0:1.1.9-0.1.el7ev.src",
"product_id": "imgbased-0:1.1.9-0.1.el7ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/imgbased@1.1.9-0.1.el7ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"product": {
"name": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"product_id": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-node-ng@4.3.5-0.20190717.0.el7ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"product": {
"name": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"product_id": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-virtualization-host@4.3.5-20190722.0.el7_7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product_id": "7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src"
},
"product_reference": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"relates_to_product_reference": "7Server-RHEV-4-Hypervisor-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product_id": "7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch"
},
"product_reference": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"relates_to_product_reference": "7Server-RHEV-4-Hypervisor-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "imgbased-0:1.1.9-0.1.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch"
},
"product_reference": "imgbased-0:1.1.9-0.1.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "imgbased-0:1.1.9-0.1.el7ev.src as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src"
},
"product_reference": "imgbased-0:1.1.9-0.1.el7ev.src",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src"
},
"product_reference": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch"
},
"product_reference": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-imgbased-0:1.1.9-0.1.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch"
},
"product_reference": "python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch"
},
"product_reference": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src"
},
"product_reference": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64 as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64"
},
"product_reference": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
},
"product_reference": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-16838",
"cwe": {
"id": "CWE-269",
"name": "Improper Privilege Management"
},
"discovery_date": "2018-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1640820"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sssd: improper implementation of GPOs due to too restrictive permissions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-16838"
},
{
"category": "external",
"summary": "RHBZ#1640820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1640820"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-16838",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16838"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-16838",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16838"
}
],
"release_date": "2019-02-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "sssd: improper implementation of GPOs due to too restrictive permissions"
},
{
"acknowledgments": [
{
"names": [
"Joel Miller"
],
"organization": "Pennsylvania Higher Education Assistance Agency"
}
],
"cve": "CVE-2018-16881",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2018-12-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1658366"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-16881"
},
{
"category": "external",
"summary": "RHBZ#1658366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1658366"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-16881",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-16881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16881"
}
],
"release_date": "2017-04-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"category": "workaround",
"details": "This vulnerability requires the \"imptcp\" module to be enabled, and listening on a port that can potentially be reached by attackers. This module is not enabled by default in Red Hat Enterprise Linux 7. To check if imptcp is enabled, look for the string `$InputPTCPServerRun`in your rsyslog configuration.",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled"
},
{
"cve": "CVE-2019-0161",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1694065"
}
],
"notes": [
{
"category": "description",
"text": "Stack overflow in XHCI for EDK II may allow an unauthenticated user to potentially enable denial of service via local access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "edk2: stack overflow in XHCI causing denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-0161"
},
{
"category": "external",
"summary": "RHBZ#1694065",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694065"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-0161",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0161"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-0161",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0161"
},
{
"category": "external",
"summary": "https://edk2-docs.gitbooks.io/security-advisory/content/xhci-stack-local-stack-overflow.html",
"url": "https://edk2-docs.gitbooks.io/security-advisory/content/xhci-stack-local-stack-overflow.html"
}
],
"release_date": "2018-06-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "edk2: stack overflow in XHCI causing denial of service"
},
{
"cve": "CVE-2019-1559",
"cwe": {
"id": "CWE-325",
"name": "Missing Cryptographic Step"
},
"discovery_date": "2019-02-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1683804"
}
],
"notes": [
{
"category": "description",
"text": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: 0-byte record padding oracle",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "1 For this issue to be exploitable, the (server) application using the OpenSSL library needs to use it incorrectly.\n2. There are multiple other requirements for the attack to succeed: \n - The ciphersuite used must be obsolete CBC cipher without a stitched implementation (or the system be in FIPS mode)\n - the attacker has to be a MITM\n - the attacker has to be able to control the client side to send requests to the buggy server on demand",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-1559"
},
{
"category": "external",
"summary": "RHBZ#1683804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1683804"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-1559",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-1559"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-1559",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1559"
},
{
"category": "external",
"summary": "https://github.com/RUB-NDS/TLS-Padding-Oracles",
"url": "https://github.com/RUB-NDS/TLS-Padding-Oracles"
},
{
"category": "external",
"summary": "https://www.openssl.org/news/secadv/20190226.txt",
"url": "https://www.openssl.org/news/secadv/20190226.txt"
}
],
"release_date": "2019-02-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"category": "workaround",
"details": "As a workaround you can disable SHA384 if applications (compiled with OpenSSL) allow for adjustment of the ciphersuite string configuration.",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssl: 0-byte record padding oracle"
},
{
"cve": "CVE-2019-10139",
"cwe": {
"id": "CWE-522",
"name": "Insufficiently Protected Credentials"
},
"discovery_date": "2019-05-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1709829"
}
],
"notes": [
{
"category": "description",
"text": "During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10139"
},
{
"category": "external",
"summary": "RHBZ#1709829",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1709829"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10139",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10139"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10139",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10139"
}
],
"release_date": "2019-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment"
},
{
"acknowledgments": [
{
"names": [
"Riccardo Schirone"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10160",
"cwe": {
"id": "CWE-172",
"name": "Encoding Error"
},
"discovery_date": "2019-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1718388"
}
],
"notes": [
{
"category": "description",
"text": "A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 5 and 6 as the security regression was not introduced in those versions. See CVE-2019-9636 for more details about the how these versions of Red Hat Enterprise Linux are affected with regard to the original flaw.\n\nThis issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 8 as the security regression was not introduced in those versions. See CVE-2019-9636 for more details about the how these versions of Red Hat Enterprise Linux are affected with regard to the original flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10160"
},
{
"category": "external",
"summary": "RHBZ#1718388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1718388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10160",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10160"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10160",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10160"
},
{
"category": "external",
"summary": "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html",
"url": "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html"
}
],
"release_date": "2019-06-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc"
}
]
}
RHSA-2019:2437
Vulnerability from csaf_redhat - Published: 2019-08-12 11:56 - Updated: 2025-11-21 18:09Summary
Red Hat Security Advisory: Red Hat Virtualization security update
Notes
Topic
An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
The following packages have been upgraded to a later upstream version: imgbased (1.1.9), ovirt-node-ng (4.3.5), redhat-release-virtualization-host (4.3.5), redhat-virtualization-host (4.3.5). (BZ#1669357, BZ#1669365, BZ#1684986, BZ#1711193, BZ#1717250, BZ#1726917)
Security Fix(es):
* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)
* rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled (CVE-2018-16881)
* edk2: stack overflow in XHCI causing denial of service (CVE-2019-0161)
* openssl: 0-byte record padding oracle (CVE-2019-1559)
* cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment (CVE-2019-10139)
* sssd: improper implementation of GPOs due to too restrictive permissions (CVE-2018-16838)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host\u0027s resources and performing administrative tasks.\n\nThe following packages have been upgraded to a later upstream version: imgbased (1.1.9), ovirt-node-ng (4.3.5), redhat-release-virtualization-host (4.3.5), redhat-virtualization-host (4.3.5). (BZ#1669357, BZ#1669365, BZ#1684986, BZ#1711193, BZ#1717250, BZ#1726917)\n\nSecurity Fix(es):\n\n* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)\n\n* rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled (CVE-2018-16881)\n\n* edk2: stack overflow in XHCI causing denial of service (CVE-2019-0161)\n\n* openssl: 0-byte record padding oracle (CVE-2019-1559)\n\n* cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment (CVE-2019-10139)\n\n* sssd: improper implementation of GPOs due to too restrictive permissions (CVE-2018-16838)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2437",
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1640820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1640820"
},
{
"category": "external",
"summary": "1658366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1658366"
},
{
"category": "external",
"summary": "1683804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1683804"
},
{
"category": "external",
"summary": "1687920",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1687920"
},
{
"category": "external",
"summary": "1694065",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694065"
},
{
"category": "external",
"summary": "1702223",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1702223"
},
{
"category": "external",
"summary": "1709829",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1709829"
},
{
"category": "external",
"summary": "1718388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1718388"
},
{
"category": "external",
"summary": "1720156",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720156"
},
{
"category": "external",
"summary": "1720160",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720160"
},
{
"category": "external",
"summary": "1720310",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720310"
},
{
"category": "external",
"summary": "1720434",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720434"
},
{
"category": "external",
"summary": "1720435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720435"
},
{
"category": "external",
"summary": "1720436",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1720436"
},
{
"category": "external",
"summary": "1724044",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1724044"
},
{
"category": "external",
"summary": "1726534",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1726534"
},
{
"category": "external",
"summary": "1727007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1727007"
},
{
"category": "external",
"summary": "1727859",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1727859"
},
{
"category": "external",
"summary": "1728998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1728998"
},
{
"category": "external",
"summary": "1729023",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1729023"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2437.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Virtualization security update",
"tracking": {
"current_release_date": "2025-11-21T18:09:44+00:00",
"generator": {
"date": "2025-11-21T18:09:44+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2019:2437",
"initial_release_date": "2019-08-12T11:56:35+00:00",
"revision_history": [
{
"date": "2019-08-12T11:56:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-12T11:56:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:09:44+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product": {
"name": "RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
}
}
},
{
"category": "product_name",
"name": "Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product": {
"name": "Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product_id": "7Server-RHEV-4-Hypervisor-7",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor"
}
}
}
],
"category": "product_family",
"name": "Red Hat Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch",
"product": {
"name": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch",
"product_id": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-virtualization-host-image-update-placeholder@4.3.5-2.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"product": {
"name": "python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"product_id": "python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-imgbased@1.1.9-0.1.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "imgbased-0:1.1.9-0.1.el7ev.noarch",
"product": {
"name": "imgbased-0:1.1.9-0.1.el7ev.noarch",
"product_id": "imgbased-0:1.1.9-0.1.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/imgbased@1.1.9-0.1.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product": {
"name": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product_id": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python2-ovirt-node-ng-nodectl@4.3.5-0.20190717.0.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product": {
"name": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product_id": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-node-ng-nodectl@4.3.5-0.20190717.0.el7ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"product": {
"name": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"product_id": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-virtualization-host-image-update@4.3.5-20190722.0.el7_7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"product": {
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"product_id": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-release-virtualization-host@4.3.5-2.el7ev?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"product": {
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"product_id": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-release-virtualization-host@4.3.5-2.el7ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "imgbased-0:1.1.9-0.1.el7ev.src",
"product": {
"name": "imgbased-0:1.1.9-0.1.el7ev.src",
"product_id": "imgbased-0:1.1.9-0.1.el7ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/imgbased@1.1.9-0.1.el7ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"product": {
"name": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"product_id": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-node-ng@4.3.5-0.20190717.0.el7ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"product": {
"name": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"product_id": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/redhat-virtualization-host@4.3.5-20190722.0.el7_7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product_id": "7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src"
},
"product_reference": "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"relates_to_product_reference": "7Server-RHEV-4-Hypervisor-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7",
"product_id": "7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch"
},
"product_reference": "redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"relates_to_product_reference": "7Server-RHEV-4-Hypervisor-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "imgbased-0:1.1.9-0.1.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch"
},
"product_reference": "imgbased-0:1.1.9-0.1.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "imgbased-0:1.1.9-0.1.el7ev.src as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src"
},
"product_reference": "imgbased-0:1.1.9-0.1.el7ev.src",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src"
},
"product_reference": "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch"
},
"product_reference": "ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-imgbased-0:1.1.9-0.1.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch"
},
"product_reference": "python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch"
},
"product_reference": "python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src"
},
"product_reference": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64 as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64"
},
"product_reference": "redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch as a component of RHEL 7-based RHEV-H for RHEV 4 (build requirements)",
"product_id": "7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
},
"product_reference": "redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch",
"relates_to_product_reference": "7Server-RHEV-4-HypervisorBuild-7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-16838",
"cwe": {
"id": "CWE-269",
"name": "Improper Privilege Management"
},
"discovery_date": "2018-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1640820"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "sssd: improper implementation of GPOs due to too restrictive permissions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-16838"
},
{
"category": "external",
"summary": "RHBZ#1640820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1640820"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-16838",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16838"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-16838",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16838"
}
],
"release_date": "2019-02-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "sssd: improper implementation of GPOs due to too restrictive permissions"
},
{
"acknowledgments": [
{
"names": [
"Joel Miller"
],
"organization": "Pennsylvania Higher Education Assistance Agency"
}
],
"cve": "CVE-2018-16881",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2018-12-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1658366"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-16881"
},
{
"category": "external",
"summary": "RHBZ#1658366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1658366"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-16881",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-16881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-16881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16881"
}
],
"release_date": "2017-04-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"category": "workaround",
"details": "This vulnerability requires the \"imptcp\" module to be enabled, and listening on a port that can potentially be reached by attackers. This module is not enabled by default in Red Hat Enterprise Linux 7. To check if imptcp is enabled, look for the string `$InputPTCPServerRun`in your rsyslog configuration.",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled"
},
{
"cve": "CVE-2019-0161",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1694065"
}
],
"notes": [
{
"category": "description",
"text": "Stack overflow in XHCI for EDK II may allow an unauthenticated user to potentially enable denial of service via local access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "edk2: stack overflow in XHCI causing denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-0161"
},
{
"category": "external",
"summary": "RHBZ#1694065",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694065"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-0161",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0161"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-0161",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0161"
},
{
"category": "external",
"summary": "https://edk2-docs.gitbooks.io/security-advisory/content/xhci-stack-local-stack-overflow.html",
"url": "https://edk2-docs.gitbooks.io/security-advisory/content/xhci-stack-local-stack-overflow.html"
}
],
"release_date": "2018-06-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "edk2: stack overflow in XHCI causing denial of service"
},
{
"cve": "CVE-2019-1559",
"cwe": {
"id": "CWE-325",
"name": "Missing Cryptographic Step"
},
"discovery_date": "2019-02-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1683804"
}
],
"notes": [
{
"category": "description",
"text": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openssl: 0-byte record padding oracle",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "1 For this issue to be exploitable, the (server) application using the OpenSSL library needs to use it incorrectly.\n2. There are multiple other requirements for the attack to succeed: \n - The ciphersuite used must be obsolete CBC cipher without a stitched implementation (or the system be in FIPS mode)\n - the attacker has to be a MITM\n - the attacker has to be able to control the client side to send requests to the buggy server on demand",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-1559"
},
{
"category": "external",
"summary": "RHBZ#1683804",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1683804"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-1559",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-1559"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-1559",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1559"
},
{
"category": "external",
"summary": "https://github.com/RUB-NDS/TLS-Padding-Oracles",
"url": "https://github.com/RUB-NDS/TLS-Padding-Oracles"
},
{
"category": "external",
"summary": "https://www.openssl.org/news/secadv/20190226.txt",
"url": "https://www.openssl.org/news/secadv/20190226.txt"
}
],
"release_date": "2019-02-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"category": "workaround",
"details": "As a workaround you can disable SHA384 if applications (compiled with OpenSSL) allow for adjustment of the ciphersuite string configuration.",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openssl: 0-byte record padding oracle"
},
{
"cve": "CVE-2019-10139",
"cwe": {
"id": "CWE-522",
"name": "Insufficiently Protected Credentials"
},
"discovery_date": "2019-05-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1709829"
}
],
"notes": [
{
"category": "description",
"text": "During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10139"
},
{
"category": "external",
"summary": "RHBZ#1709829",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1709829"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10139",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10139"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10139",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10139"
}
],
"release_date": "2019-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment"
},
{
"acknowledgments": [
{
"names": [
"Riccardo Schirone"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2019-10160",
"cwe": {
"id": "CWE-172",
"name": "Encoding Error"
},
"discovery_date": "2019-06-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1718388"
}
],
"notes": [
{
"category": "description",
"text": "A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 5 and 6 as the security regression was not introduced in those versions. See CVE-2019-9636 for more details about the how these versions of Red Hat Enterprise Linux are affected with regard to the original flaw.\n\nThis issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 8 as the security regression was not introduced in those versions. See CVE-2019-9636 for more details about the how these versions of Red Hat Enterprise Linux are affected with regard to the original flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10160"
},
{
"category": "external",
"summary": "RHBZ#1718388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1718388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10160",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10160"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10160",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10160"
},
{
"category": "external",
"summary": "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html",
"url": "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html"
}
],
"release_date": "2019-06-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-12T11:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-0:4.3.5-20190722.0.el7_7.src",
"7Server-RHEV-4-Hypervisor-7:redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:imgbased-0:1.1.9-0.1.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python-imgbased-0:1.1.9-0.1.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev.noarch",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.src",
"7Server-RHEV-4-HypervisorBuild-7:redhat-release-virtualization-host-0:4.3.5-2.el7ev.x86_64",
"7Server-RHEV-4-HypervisorBuild-7:redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc"
}
]
}
GHSA-35C5-8H9G-6345
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2023-02-02 21:33
VLAI?
Details
During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file /var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.
Severity ?
7.8 (High)
{
"affected": [],
"aliases": [
"CVE-2019-10139"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-17T16:29:00Z",
"severity": "HIGH"
},
"details": "During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.",
"id": "GHSA-35c5-8h9g-6345",
"modified": "2023-02-02T21:33:47Z",
"published": "2022-05-24T16:46:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10139"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2433"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2019-10139"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1709829"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108396"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
CNVD-2019-15704
Vulnerability from cnvd - Published: 2019-05-29
VLAI Severity ?
Title
cockpit-ovirt信息泄露漏洞
Description
cockpit-ovirt是一款系统管理工具。
cockpit-ovirt中存在信息泄露漏洞。该漏洞源于网络系统或产品中缺乏有效的信任管理机制。攻击者可利用默认密码或者硬编码密码、硬编码证书等攻击受影响组件。
Severity
低
Formal description
目前厂商暂未发布修复措施解决此安全问题,建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法: bugzilla.redhat.comhttps://www.ovirt.org/
Reference
https://www.ovirt.org/
Impacted products
| Name | cockpit-ovirt cockpit-ovirt |
|---|
{
"bids": {
"bid": {
"bidNumber": "108396"
}
},
"cves": {
"cve": {
"cveNumber": "CVE-2019-10139",
"cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10139"
}
},
"description": "cockpit-ovirt\u662f\u4e00\u6b3e\u7cfb\u7edf\u7ba1\u7406\u5de5\u5177\u3002\n\ncockpit-ovirt\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u4e2d\u7f3a\u4e4f\u6709\u6548\u7684\u4fe1\u4efb\u7ba1\u7406\u673a\u5236\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u9ed8\u8ba4\u5bc6\u7801\u6216\u8005\u786c\u7f16\u7801\u5bc6\u7801\u3001\u786c\u7f16\u7801\u8bc1\u4e66\u7b49\u653b\u51fb\u53d7\u5f71\u54cd\u7ec4\u4ef6\u3002",
"discovererName": "Unknown",
"formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nbugzilla.redhat.comhttps://www.ovirt.org/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2019-15704",
"openTime": "2019-05-29",
"products": {
"product": "cockpit-ovirt cockpit-ovirt"
},
"referenceLink": "https://www.ovirt.org/",
"serverity": "\u4f4e",
"submitTime": "2019-05-22",
"title": "cockpit-ovirt\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}
GSD-2019-10139
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-10139",
"description": "During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.",
"id": "GSD-2019-10139",
"references": [
"https://access.redhat.com/errata/RHSA-2019:2437",
"https://access.redhat.com/errata/RHSA-2019:2433"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-10139"
],
"details": "During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.",
"id": "GSD-2019-10139",
"modified": "2023-12-13T01:23:58.880047Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-10139",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cockpit-ovirt",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "ovirt"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-522",
"lang": "eng",
"value": "CWE-522"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://access.redhat.com/errata/RHSA-2019:2437",
"refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"name": "http://www.securityfocus.com/bid/108396",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/108396"
},
{
"name": "https://access.redhat.com/errata/RHSA-2019:2433",
"refsource": "MISC",
"url": "https://access.redhat.com/errata/RHSA-2019:2433"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ovirt:cockpit-ovirt:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-10139"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139"
},
{
"name": "108396",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/108396"
},
{
"name": "RHSA-2019:2433",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2433"
},
{
"name": "RHSA-2019:2437",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-02-12T23:32Z",
"publishedDate": "2019-05-17T16:29Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…