var-202006-1825

Vulnerability from variot

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). FasterXML jackson-databind Exists in an unreliable data deserialization vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. FasterXML Jackson is a data processing tool for Java developed by American FasterXML Company. jackson-databind is one of the components with data binding function. A security vulnerability exists in FasterXML jackson-databind 2.x versions prior to 2.9.10.5. An attacker could exploit this vulnerability to execute arbitrary code on the system by sending specially crafted input. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: Satellite 6.8 release Advisory ID: RHSA-2020:4366-01 Product: Red Hat Satellite 6 Advisory URL: https://access.redhat.com/errata/RHSA-2020:4366 Issue date: 2020-10-27 CVE Names: CVE-2018-3258 CVE-2018-11751 CVE-2019-12781 CVE-2019-16782 CVE-2020-5216 CVE-2020-5217 CVE-2020-5267 CVE-2020-7238 CVE-2020-7663 CVE-2020-7942 CVE-2020-7943 CVE-2020-8161 CVE-2020-8184 CVE-2020-8840 CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 CVE-2020-10693 CVE-2020-10968 CVE-2020-10969 CVE-2020-11619 CVE-2020-14061 CVE-2020-14062 CVE-2020-14195 CVE-2020-14334 CVE-2020-14380 ==================================================================== 1. Summary:

An update is now available for Red Hat Satellite 6.8 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

1. Relevant releases/architectures:

Red Hat Satellite 6.7 - noarch, x86_64 Red Hat Satellite Capsule 6.8 - noarch, x86_64

1. Description:

Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool.

Security Fix(es):

• mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) (CVE-2018-3258)
• netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)
• rubygem-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7663)
• puppet: puppet server and puppetDB may leak sensitive information via metrics API (CVE-2020-7943)
• jackson-databind: multiple serialization gadgets (CVE-2020-8840 CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 CVE-2020-10968 CVE-2020-10969 CVE-2020-11619 CVE-2020-14061 CVE-2020-14062 CVE-2020-14195)
• foreman: unauthorized cache read on RPM-based installations through local user (CVE-2020-14334)
• Satellite: Local user impersonation by Single sign-on (SSO) user leads to account takeover (CVE-2020-14380)
• Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS (CVE-2019-12781)
• rubygem-rack: hijack sessions by using timing attacks targeting the session id (CVE-2019-16782)
• rubygem-secure_headers: limited header injection when using dynamic overrides with user input (CVE-2020-5216)
• rubygem-secure_headers: directive injection when using dynamic overrides with user input (CVE-2020-5217)
• rubygem-actionview: views that use the j or escape_javascript methods are susceptible to XSS attacks (CVE-2020-5267)
• puppet: Arbitrary catalog retrieval (CVE-2020-7942)
• rubygem-rack: directory traversal in Rack::Directory (CVE-2020-8161)
• rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names (CVE-2020-8184)
• hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)
• puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL (CVE-2018-11751)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

• Provides the Satellite Ansible Modules that allow for full automation of your Satellite configuration and deployment.

• Adds ability to install Satellite and Capsules and manage hosts in a IPv6 network environment

• Ansible based Capsule Upgrade automation: Ability to centrally upgrade all of your Capsule servers with a single job execution.

• Platform upgrades to Postgres 12, Ansible 2.9, Ruby on Rails and latest version of Puppet

• Support for HTTP UEFI provisioning

• Support for CAC card authentication with Keycloak integration

• Add ability to upgrade Red Hat Enterprise Linux 7 hosts to version 8 using the LEAPP based tooling.

• Support for Red Hat Enterprise Linux Traces integration

• satellite-maintain & foreman-maintain are now self updating

• Notifications in the UI to warn users when subscriptions are expiring.

The items above are not a complete list of changes. This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

1. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

1. Bugs fixed (https://bugzilla.redhat.com/):

1160344 - [RFE] Satellite support for cname as alternate cname for satellite server 1261802 - [RFE] Make the foreman bootdisk full-host image work on UEFI systems 1300211 - capsule-certs-generate failed to increment release number when generating certificate rpm for foreman-proxy 1332702 - smart-proxy-openscap-send with additional features - alert if file corrupt 1398317 - For the vms built by Satellite 6 using "Network Based" installation mode on VMWare, unable to change the boot sequence via BIOS 1410616 - [RFE] Prominent notification of expiring subscriptions. 1410916 - Should only be able to add repositories you have access to 1429033 - Host provisioned with RHEL Workstation OS, after provisioning displayed as generic RedHat 7.3 1461781 - [RFE]A button should be available in the GUI to clear the recurring logics. 1469267 - need updated rubygem-rake 1486446 - Content view versions list has slow query for package count 1486696 - 'hammer host update' removes existing host parameters 1494180 - Sorting by network address for subnet doesn't work properly 1501499 - tomcat listens to 0.0.0.0 for serving requests but just needs localhost 1503037 - [RFE] Cancelled future/recurring job invocations should not get the status "failed" but rather "cancelled" 1505842 - Remote Execution engine: Error initializing command: Net::SSH::HostKeyMismatch - fingerprint 20:a9:b7:45:1a:b7:d6:42:1e:03:d1:1f:06:20:4c:e2 does not match for "172.17.0.101" 1531674 - Operating System Templates are ordered inconsistently in UI. 1537320 - [RFE] Support for Capsules at 1 version lower than Satellite 1543316 - Satellite 6.2 Upgrade Fails with error "rake aborted! NoMethodError: undefined method first' for nil:NilClass" when there are custom bookmarks created 1563270 - Sync status information is lost after cleaning up old tasks related to sync. 1569324 - Webrick is unable to use 2 supported TLS v1.2 ciphers ('ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384') 1571907 - Passenger threads throwing tracebacks on API jobs after spawning 1576859 - [RFE] Implement automatic assigning subnets through data provided by facter 1584184 - [RFE] The locked template is getting overridden by default 1601101 - [RFE] Add autofill functionality to the Job invocation Search query box, copy from Hosts search box 1607706 - [RFE] Add support for --vlanid in Satellite Kickstart Default provisioning template 1608001 - Rearrange search/filter options on Red Hat Repositories page. 1613391 - race condition on removing multiple organizations simultaneously 1619274 - [RFE] Red Hat Satellite should now be able to discover and provision bare metal machines via UEFI HTTP boot 1619422 - User Agent for Downstream RSS feed still says Foreman and Foreman Version 1620214 - Page should auto-refresh after subscriptions have been modified on the Satellite webui 1624049 - Changing the organization in the Satellite WebUI does not change the sync plan page information from the previous organization 1625258 - Having empty "Allocation (GB)" when creating a new Host, nil:NilClass returned on creating the Host 1627066 - Unable to revert to the original version of the provisioning template 1630433 - [RFE] Include Ansible Satellite modules with Ansible Core modules 1630536 - yum repos password stored as cleartext 1632577 - Audit log show 'missing' for adding/removing repository to a CV 1640615 - CVE-2018-3258 mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) 1645062 - host_collection controller responds with 200 instead of 201 to a POST request 1645749 - repositories controller responds with 200 instead of 201 to a POST request 1647216 - Lack of edit_smart_proxies permission causes error when setting host to Build 1647364 - [RFE] Extend the audits by the http request id 1647781 - Audits contain no data (Added foo to Missing(ID: x)) 1651297 - Very slow query when using facts on user roles as filters 1653217 - [RFE] More evocative name for Play Ansible Roles option? 1654347 - Satellite may create duplicate CreateRssNotifications tasks after restarting foreman tasks 1654375 - [RFE] Mention specifically uder the admin chexbox for AD LDAP user if its created with admin role, 1659418 - katello-tracer-upload failing with error "ImportError: No module named katello" 1665277 - subscription manager register activation key with special character failed 1665893 - candlepin refuses to start or hangs periodically when having too many messages in ActiveMQ journal 1666693 - Command "hammer subscription list" is not correctly showing the comment "Guests of " in the "Type" field in the output. 1677907 - Ansible API endpoints return 404 1680157 - [RFE] Puppet 'package' provider type does not support selecting modularity streams 1680458 - Locked Report Templates are getting removed. 1680567 - Reporting Engine API to list report template per organization/location returns 404 error 1681619 - [RFE] Disable the option to enter a MAC address after selecting a compute resource while creating new hosts through Satellite 1685949 - [RFE] Support passing of attribute name instead of Id's in RHV workflow 1687116 - kernel version checks should not use /lib/modules to determine running version 1688886 - subscription-manager not attaching the right quantity per the cpu core 1691416 - Delays when many clients upload tracer data simultaneously 1697476 - [RFE] To be able to see the name of the provisioning template being used to build a host from the host itself 1702434 - foreman-bootloaders-redhat-tftpboot expected file permissions in package don't match runtime permissions 1705097 - An empty report file doesn't show any headers 1709557 - [RFE] warn the user if they have done a select all and it includes the restart|reboot service 1709842 - Tracer shows the machines needs rebooting even after reboot if kernel-debug is installed 1710511 - Filter by os_minor includes unexpected values on the Satellite web UI. 1715999 - Use Infoblox API for DNS conflict check and not system resolver 1716423 - Nonexistent quota can be set 1717403 - Broken breadcrumbs link to compute resource VM list on VM detail page 1718012 - [RFE] Add a hard limit of 100 items to restrict any fact child-hash/array 1718954 - [RFE] When the contentAccessMode is set to org_environment for an owner, we should disable auto-attach globally 1719509 - [RFE] "hammer host list" including erratas information 1719516 - [RFE] "hammer host-collection hosts" including erratas information 1720725 - [RFE] Ability to override DHCP options and wait_after_restart option for race condition 1721419 - SSH key cannot be added when FIPS enabled 1722954 - Slow performance when running "hammer host list" with a high number of Content Hosts (15k+ for example) 1723313 - foreman_tasks:cleanup description contain inconsistent information 1724494 - [Capsule][smart_proxy_dynflow_core] "PID file /var/run/foreman-proxy/smart_proxy_dynflow_core.pid not readable (yet?) after start" 1724497 - CVE-2019-12781 Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS 1726768 - [RFE] Red Hat Satellite 6 GUI, Tasks should show Full name 1729968 - Editing disk size of a Compute Profile for a VMware Compute Resource makes the whole Storage section disappear 1730083 - [RFE] Add Jobs button to host detail page 1731155 - Cloud init template missing snippet compared to Kickstart default user data 1731229 - podman search against Red Hat Satellite 6 fails. 1731235 - [RFE] Create Report Template to list inactive hosts 1733241 - [RFE] hammer does not inherit parent location information 1733650 - Satellite receives RPM1004 pulp error and 403 Forbidden http error retrieving packages from CDN 1736809 - undefined methodsplit' for nil:NilClass when viewing the host info with hammer 1737135 - Content Hosts loses subscriptions after Vmotion and auto attach is unable to assigned the subscriptions if any other subscription is already attached to the host. 1737564 - [RFE] Support custom images on Azure 1738548 - Parameter --openscap-proxy-id is missing in hammer host create command. 1740943 - Increasing Ansible verbosity level does not increase the verbosity of output 1743056 - While creating a host for a particular location, all the domains are in the pull down list, even if only one domain is selected for that location. 1743776 - Error while deleting the content view version. 1745516 - Multiple duplicate index entries are present in candlepin database 1746936 - satellite6 is not using remote execution by default even after setting remote execution by default from satellite web-UI. 1749692 - Default Rhel8 scap content does not get populated on the Satellite 1749916 - [RFE] Satellite should support certificates with > 2048 Key size 1751981 - Parent object properties are not propagated to Child objects in Location and Host Group 1752880 - katello-host-tools-tracer stats paths abusively, leading to a hang or slowness of yum command 1753551 - Traces output from Satellite GUI has mismatches with client tracer output 1756991 - 2 inputs with same name -> uninitialized constant #::NonUniqueInputsError 1757317 - [RFE] Dynflow workers extraction 1757394 - [BUG] Non-admin users always get "Missing one of the required permissions" message while accessing their own table_preferences via Satellite 6 API 1759160 - Rake task for cleaning up DHCP records on proxy 1761872 - Disabled buttons are still working 1763178 - [RFE] Unnecessary call to userhelp and therefore log entries 1763816 - [RFE] Report which users access the API 1766613 - Fact search bar broken and resets to only searching hostname 1766906 - Associating more than 10 Ansible roles to a Host only sets based on the per-page setting 1767497 - Compute Resource filter does not correctly allow Refresh Cache 1767635 - [RFE] Enable Organization and Location to be entered not just selected 1770366 - [RFE] Improve upgrade efficiency by moving RPM post-installation scripts to the installer. 1770544 - Puppet run job notification do not populate "%{puppet_options}"' value 1770777 - Changing concurrency level while executing Ansible jobs fail with NoMethodError: undefined method []' for nil:NilClass 1771367 - undefined methodrequest_uri' when Openidc Provider Token Endpoint is none 1771428 - Openscap documentation link on Satellite 6 webui is broke 1771484 - Client side documentation links are not branded 1771693 - 'Deployed on' parameter is not listed in API output 1772381 - Incorrect example to use multiple attributes as a matcher key in the tooltip for Order 1772517 - login with the user name as same as existing user group gives 500 ISE and wont allow user to login again 1772544 - Use APIv4 is not the default when creating a new compute resource in ovirt 1773298 - GET /katello/api/srpms/compare always fails with error: Missing template katello/api/v2/common/compare 1774710 - UI: When selecting the server type in ldap authentication, "attribute mappings" fields could be populated automatically 1778396 - exporting/importing report template process is causing a different report during the visualization (blank lines) 1778503 - Prepended text on OS name creation 1778681 - Some pages are missing title in html head 1779638 - Unable to filter/search http-proxies using Organization/Location for Satellite UI. 1781671 - While using concurrency_level in remote execution, job progress in WebUI is not being updated properly 1782352 - [RHEL 8.1 client] All packages are not getting updated after click on "Update All Packages" 1782426 - Viewing errata from a repository returns incorrect unfiltered results 1783568 - [RFE] - Bulk Tracer Remediation 1783882 - Ldap refresh failed with "Validation failed: Adding would cause a cycle!" 1784012 - Default kickstart places log to /mnt/sysimage/root/install.post.log 1784341 - disable CertificateRevocationListTask job in candlepin.conf by default 1785117 - [RFE] Add functionality in foreman logging to hash-out or mark as [FILTERED] the password in /var/log/foreman-maintain/foreman-maintain.log and /var/log/foreman-installer/satellite.log file 1785231 - Ansible Variable override to false does not gets reflected on client machine on Red Hat Satellite 6. 1785624 - [UI] Importing templates with associate 'never' is not resulting as expected 1785683 - Does not load datacenter when multiple compute resources are created for same VCenter 1785902 - Ansible RunHostJob tasks failed with "Failed to initialize: NoMethodError - undefined method []' for nil:NilClass" 1785940 - [RFE] Reporting template should allow host filtering based on applicable errata issue date 1787329 - change filename in initrd live CPIO archive to fdi.iso 1788261 - CVE-2018-11751 puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL 1788958 - [RFE] add "elapsed time" column to export and hammer, make it filterable in WebUI 1789006 - Smart proxy dynflow core listens on 0.0.0.0 1789100 - CVE-2019-16782 rubygem-rack: hijack sessions by using timing attacks targeting the session id 1789434 - Template editor not always allows refreshing of the preview pane 1789522 - On unhealthy Satellite, dynflow_envelopes table might grow indefinitely 1789686 - Non-admin user with enough permissions can't generate report of applicable errata 1789815 - The "start" parameter should be mentioned inside "--compute-attributes:" in hammer_cli for Satellite 6 1789911 - "foreman-rake katello:publish_unpublished_repositories" is referring to column which no longer exists in katello_repositories table. 1789924 - [RFE] As user I want to see a "disabled" status for Simple Content Access (Golden Ticketed) Orgs 1791654 - drop config_templates api endpoints and parameters 1791656 - drop deprecated host status endpoint 1791658 - drop reports api endpoint 1791659 - Removeuse_puppet_defaultapi params 1791663 - remove deprecated permissions api parameters 1791665 - drop deprecated compute resource uuid parameter 1792131 - [UI] Could not specify organization/location for users that come from keycloak 1792135 - Not able to login again if session expired from keycloak 1792174 - [RFE] Subscription report template 1792304 - When generating custom report, leave output format field empty 1792378 - [RFE] Long role names are cut off in the roles UI 1793951 - [RFE] Display request UUID on audits page 1794015 - When using boot disk based provisioning, sometimes foreman tries to recreate folder foreman_isos in the datastore even when the folder already exists 1794346 - Change the label for the flashing eye icon during user impersonation 1794641 - Sync status page's content are not being displayed properly. 1795809 - HTML tags visible on paused task page 1796155 - [RFE] host_collections not available in reporting engine unless safe mode disabled 1796205 - iso upload: correctly check if upload directory exists 1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling 1796259 - loading subscriptions page is very slow 1796697 - Unable to list/enable EUS repositories on the RHEL clients registered in the satellite server with org_environment contentAccessMode 1798489 - [RHSSO] - If Access Token Lifespan is set to 5 mins then the user is getting sign out instead after idle SSO timeout 1798668 - Configure default MongoDB WiredTiger cache to be 20% of RAM in the Satellite server 1799480 - CLI - hammer repository info shows blank sync status if the repository sync is in warning/error state. 1800503 - In Hammer, it is not possible to set default keyboard layout for a RHEV host 1801264 - CVE-2020-5217 rubygem-secure_headers: directive injection when using dynamic overrides with user input 1801286 - CVE-2020-5216 rubygem-secure_headers: limited header injection when using dynamic overrides with user input 1802529 - Repository sync in tasks page shows percentage in 17 decimal points 1802631 - Importing Ansible variables yields NoMethodError: undefined methodmap' for nil:NilClass (initialize_variables) [variables_importer.rb] 1803846 - Red Hat Insights Risk Summary shows systems at risk while there are none 1804496 - While performing bulk actions, unable to select all tasks under Monitor --> Tasks page. 1804651 - Missing information about "Create Capsule" via webUI 1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages 1805727 - Default Custom Repository download policy setting refers to old name (Default Repository download policy) in satellite 6.7 1806713 - hypervisor checkin fails with cp_consumer_hypervisor_ukey error 1806842 - Disabling dynflow_enable_console from setting should hide "Dynflow console" in Tasks 1806897 - Red Hat Inventory Uploads fail with NoMethodError: undefined method mtu' 1807042 - [RFE] Support additional disks for VM on Azure Compute Resource 1807321 - A non-admin users with view recurring_logics permissions are unable to list recurring logics. 1807829 - Generated inventory file doesn't exist 1807946 - Multiple duplicate index entries are present in foreman database 1808843 - Satellite lists unrelated RHV storage domains using v4 API 1810250 - Unable to delete repository - Content with ID could not be found 1810549 - dropping packets to qdrouterd triggers a memory leak in qpid-proton 0.28.0-2 libraries used by goferd 1810774 - Applying errata via Host Collection the errata are trying to be applied to all hosts associated with the host collection 1811390 - Links to an errata list of a repository lack repositoryId in URI and points to generic "errata" page instead 1812031 - Improve regenerate applicability tasks performance by querying NEVRA only data from repo_content_units 1812858 - Satellite Inventory Plugin does not appear to make reports which match yupana's API specification 1812904 - 'Hypervisors' task fails with 'undefined method[]' for nil:NilClass' error 1813005 - Prevent --tuning option to be applied in Capsule servers 1813313 - [Tracker] Test HTTP UEFI on IPv6 (QA only tracker) 1814095 - Applicable errata not showing up for module stream errata 1815104 - Locked provisioning template should not be allowed to add audit comment 1815135 - hammer does not support description for custom repositories 1815146 - Backslash escapes when downloading a JSON-formatted report multiple times 1815608 - Content Hosts has Access to Content View from Different Organization 1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking 1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config 1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap 1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core 1816699 - Satellite Receptor Installer role can miss accounts under certain conditions 1816720 - CVE-2020-7942 puppet: Arbitrary catalog retrieval 1816853 - Report generated by Red Hat Inventory Uploads is empty. 1817215 - Admin must be able to provide all the client ids involved inside Satellite settings. 1817224 - Loading one org's content view when switching to a different org 1817481 - Plugin does not set page