RHSA-2022_6266
Vulnerability from csaf_redhat - Published: 2022-08-31 13:01 - Updated: 2024-11-26 07:54Summary
Red Hat Security Advisory: convert2rhel security update
Notes
Topic
An update for convert2rhel is now available for Convert2RHEL for RHEL-6.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The convert2rhel package provides the Convert2RHEL utility, which performs operating system conversion. During the conversion process, Convert2RHEL replaces all RPM packages from the original Linux distribution with their Red Hat Enteprise Linux versions.
Security Fix(es):
* convert2rhel: Activation key passed via command line by code (CVE-2022-0851)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for convert2rhel is now available for Convert2RHEL for RHEL-6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The convert2rhel package provides the Convert2RHEL utility, which performs operating system conversion. During the conversion process, Convert2RHEL replaces all RPM packages from the original Linux distribution with their Red Hat Enteprise Linux versions.\n\nSecurity Fix(es):\n\n* convert2rhel: Activation key passed via command line by code (CVE-2022-0851)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:6266",
"url": "https://access.redhat.com/errata/RHSA-2022:6266"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2060217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6266.json"
}
],
"title": "Red Hat Security Advisory: convert2rhel security update",
"tracking": {
"current_release_date": "2024-11-26T07:54:46+00:00",
"generator": {
"date": "2024-11-26T07:54:46+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2022:6266",
"initial_release_date": "2022-08-31T13:01:33+00:00",
"revision_history": [
{
"date": "2022-08-31T13:01:33+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-08-31T13:01:33+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-26T07:54:46+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Convert2RHEL for RHEL-6",
"product": {
"name": "Convert2RHEL for RHEL-6",
"product_id": "6Server-Convert2RHEL",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:convert2rhel::el6"
}
}
}
],
"category": "product_family",
"name": "Convert2RHEL"
},
{
"branches": [
{
"category": "product_version",
"name": "convert2rhel-0:1.0-1.el6.src",
"product": {
"name": "convert2rhel-0:1.0-1.el6.src",
"product_id": "convert2rhel-0:1.0-1.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/convert2rhel@1.0-1.el6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "convert2rhel-0:1.0-1.el6.noarch",
"product": {
"name": "convert2rhel-0:1.0-1.el6.noarch",
"product_id": "convert2rhel-0:1.0-1.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/convert2rhel@1.0-1.el6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "convert2rhel-0:1.0-1.el6.noarch as a component of Convert2RHEL for RHEL-6",
"product_id": "6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch"
},
"product_reference": "convert2rhel-0:1.0-1.el6.noarch",
"relates_to_product_reference": "6Server-Convert2RHEL"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "convert2rhel-0:1.0-1.el6.src as a component of Convert2RHEL for RHEL-6",
"product_id": "6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
},
"product_reference": "convert2rhel-0:1.0-1.el6.src",
"relates_to_product_reference": "6Server-Convert2RHEL"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Toshio Kuratomi"
],
"organization": "Red Hat, Inc.",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-0851",
"cwe": {
"id": "CWE-212",
"name": "Improper Removal of Sensitive Information Before Storage or Transfer"
},
"discovery_date": "2022-03-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2060217"
}
],
"notes": [
{
"category": "description",
"text": "There is a flaw in convert2rhel. When the --activationkey option is used with convert2rhel, the activation key is subsequently passed to subscription-manager via the command line, which could allow unauthorized users locally on the machine to view the activation key via the process command line via e.g. htop or ps. The specific impact varies upon the subscription, but generally this would allow an attacker to register systems purchased by the victim until discovered; a form of fraud. This could occur regardless of how the activation key is supplied to convert2rhel because it involves how convert2rhel provides it to subscription-manager.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "convert2rhel: Activation key passed via command line by code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch",
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-0851"
},
{
"category": "external",
"summary": "RHBZ#2060217",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060217"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-0851",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0851"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0851"
}
],
"release_date": "2022-04-26T16:14:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-08-31T13:01:33+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch",
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:6266"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch",
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.noarch",
"6Server-Convert2RHEL:convert2rhel-0:1.0-1.el6.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "convert2rhel: Activation key passed via command line by code"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…