QID 240566

Date Published: 2022-08-03

QID 240566: Red Hat Update for Satellite 6.11 Release (RHSA-2022:5498)

Red Hat Satellite is a systems management tool for Linux-basedinfrastructure. It allows for provisioning, remote management, andmonitoring of multiple Linux deployments with a single centralized tool.

Security Fix(es): libsolv: Heap-based buffer overflow in testcase_read()
in src/testcase.c (CVE-2021-3200)
satellite: foreman: Authenticate remote code execution through Sendmail configuration (CVE-2021-3584)
candlepin: Allow unintended SCA certificate to authenticate Candlepin (CVE-2021-4142)
candlepin: netty: Information disclosure via the local system temporary directory (CVE-2021-21290)
candlepin: netty: Possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
candlepin: netty: Request smuggling via content-length header (CVE-2021-21409)
tfm-rubygem-sidekiq: XSS via the queue name of the live-poll feature (CVE-2021-30151)
python-sqlparse: ReDoS via regular expression in StripComments filter (CVE-2021-32839)
libsolv: various flaws (CVE-2021-33928 CVE-2021-33929 CVE-2021-33930 CVE-2021-33938)
tfm-rubygem-puma: Inconsistent Interpretation of HTTP Requests in puma (CVE-2021-41136)
logback-classic: Remote code execution through JNDI call from within its configuration file (CVE-2021-42550)
candlepin: netty: Control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
python-lxml: HTML Cleaner allows crafted and SVG embedded scripts to pass through (CVE-2021-43818)
python3-django: Potential bypass of an upstream access control based on URL paths (CVE-2021-44420)
libsolv: Heap overflow (CVE-2021-44568)
python3-django: Various flaws (CVE-2021-45115 CVE-2021-45116 CVE-2021-45452 CVE-2022-22818)
tfm-rubygem-actionpack: Information leak between requests (CVE-2022-23633)
tfm-rubygem-puma: rubygem-rails: Information leak between requests (CVE-2022-23634)
python3-django: Denial-of-service possibility in file uploads (CVE-2022-23833)
tfm-rubygem-sidekiq: WebUI Denial of Service caused by number of days on graph (CVE-2022-23837)
python3-django: Various flaws (CVE-2022-28346 CVE-2022-28347)

Affected Products:

Red Hat Enterprise Linux Server 7 x86_64
Red Hat Satellite 6.11 for RHEL 8 x86_64
Red Hat Satellite 6.11 for RHEL 7 x86_64
Red Hat Satellite Capsule 6.11 for RHEL 8 x86_64
Red Hat Satellite Capsule 6.11 for RHEL 7 x86_64
Red Hat Enterprise Linux for x86_64 8 x86_64

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

On successful exploitation, it could allow an attacker to execute code.

  • CVSS V3 rated as Critical - 9.8 severity.
  • CVSS V2 rated as Critical - 9 severity.
  • Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2022:5498 to address this issue and obtain more information.

    Vendor References
    Software Advisories
    Advisory ID Software Component Link
    RHSA-2022:5498 Red Hat Enterprise Linux URL Logo access.redhat.com/errata/RHSA-2022:5498?language=en