Multiple Red Hat Network Products XMLRPC Credentials Information Disclosure Vulnerability

Bugtraq ID:	51569
Class:	Design Error
CVE:	CVE-2012-0059
Remote:	Yes
Local:	Yes
Published:	Jan 19 2012 12:00AM
Updated:	Feb 06 2012 09:00PM
Credit:	Red Hat
Vulnerable:	Red Hat Spacewalk 1.6 + RedHat Linux 6.2 E sparc + RedHat Linux 6.2 E i386 + RedHat Linux 6.2 E alpha + RedHat Linux 6.2 sparc + RedHat Linux 6.2 i386 + RedHat Linux 6.2 alpha Red Hat Network Satellite Server (for RHEL 6) 5.4 Red Hat Network Satellite Server (for RHEL 5) 5.4 Red Hat Network Satellite Server (for RHEL 5) 5.3 Red Hat Network Satellite Server (for RHEL 4) 5.3 Red Hat Network Proxy (for RHEL 6) 5.4 Red Hat Network Proxy (for RHEL 5) 5.4
Not Vulnerable:

Multiple Red Hat Network Products XMLRPC Credentials Information Disclosure Vulnerability

Multiple Red Hat products including Red Hat Network Satellite Server, Red Hat Network Proxy Server, and Spacewalk are prone to a remote information-disclosure vulnerability.

Successful exploits may allow an attacker to obtain user credentials.

Multiple Red Hat Network Products XMLRPC Credentials Information Disclosure Vulnerability

An attacker can exploit this issue either through local interactive access, or through a man-in-the-middle attack.

Multiple Red Hat Network Products XMLRPC Credentials Information Disclosure Vulnerability

Solution:
Vendor updates are available. Please see the references for more information.

Multiple Red Hat Network Products XMLRPC Credentials Information Disclosure Vulnerability

References:

• Red Hat Homepage (Red Hat)
  
• Spacewalk Homepage (Red Hat)
  
• Bug 749890 - Mask passwords from xmlrpc tracebacks (Christopher J Suleski)
  
• Bug 782819 - (CVE-2012-0059) CVE-2012-0059 Satellite, Spacewalk: RHN user passwo (Christopher J Suleski)
  
• RHSA-2012:0101-1 Red Hat Network Satellite spacewalk-backend security and bug fi (Red Hat)
  
• RHSA-2012:0102-1 Red Hat Network Proxy spacewalk-backend security and bug fix up (Red Hat)