Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Red Hat Enterprise Linux 5: RHSA-2008:1001-01 Important Security Alert

red hat
Calendar Grey November 25, 2008
Dist Redhat Esm H88
Crucial security patch for tog-pegasus modules in Red Hat tackles vulnerabilities in authentication and limits access controls.
Updated tog-pegasus packages that fix security issues are now available for Red Hat Enterprise Linux 5. Red Hat defines additional security enhancements for OpenGroup Pegasus WBE...

Solution

Before applying this update, make sure that all previously-released errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at

Summary

The tog-pegasus packages provide OpenPegasus Web-Based Enterprise Management (WBEM) services. WBEM is a platform and resource independent Distributed Management Task Force (DMTF) standard that defines a common information model and communication protocol for monitoring and controlling resources.
Red Hat defines additional security enhancements for OpenGroup Pegasus WBEM services in addition to those defined by the upstream OpenGroup Pegasus release. For details regarding these enhancements, refer to the file "README.RedHat.Security", included in the Red Hat tog-pegasus package.
After re-basing to version 2.7.0 of the OpenGroup Pegasus code, these additional security enhancements were no longer being applied. As a consequence, access to OpenPegasus WBEM services was not restricted to the dedicated users as described in README.RedHat.Security. An attacker able to authenticate using a valid user account could use this flaw to send requests to WBEM services. (CVE-2008-4313)
Note: default SELinux policy prevents tog-pegasus from modifying system files. This flaw's impact depends on whether or not tog-pegasus is confined by SELinux, and on any additional CMPI providers installed and enabled on a particular system.
Failed authentication attempts against the OpenPegasus CIM server were not logged to the system log as documented in README.RedHat.Security. An attacker could use this flaw to perform password guessing attacks against a user account without leaving traces in the system log. (CVE-2008-4315)
All tog-pegasus users are advised to upgrade to these updated packages, which contain patches to correct these issues.

References

https://www.cve.org/CVERecord?id=CVE-2008-4313 https://www.cve.org/CVERecord?id=CVE-2008-4315 https://access.redhat.com/security/updates/classification#important

Package List

Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
i386: tog-pegasus-2.7.0-2.el5_2.1.i386.rpm tog-pegasus-debuginfo-2.7.0-2.el5_2.1.i386.rpm tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm
x86_64: tog-pegasus-2.7.0-2.el5_2.1.i386.rpm tog-pegasus-2.7.0-2.el5_2.1.x86_64.rpm tog-pegasus-debuginfo-2.7.0-2.el5_2.1.i386.rpm tog-pegasus-debuginfo-2.7.0-2.el5_2.1.x86_64.rpm tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm tog-pegasus-devel-2.7.0-2.el5_2.1.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
i386: tog-pegasus-2.7.0-2.el5_2.1.i386.rpm tog-pegasus-debuginfo-2.7.0-2.el5_2.1.i386.rpm tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm
ia64: tog-pegasus-2.7.0-2.el5_2.1.ia64.rpm tog-pegasus-debuginfo-2.7.0-2.el5_2.1.ia64.rpm tog-pegasus-devel-2.7.0-2.el5_2.1.ia64.rpm
ppc: tog-pegasus-2.7.0-2.el5_2.1.ppc.rpm tog-pegasus-2.7.0-2.el5_2.1.ppc64.rpm tog-pegasus-debuginfo-2.7.0-2.el5_2.1.ppc.rpm tog-pegasus-debuginfo-2.7.0-2.el5_2.1.ppc64.rpm tog-pegasus-devel-2.7.0-2.el5_2.1.ppc.rpm tog-pegasus-devel-2.7.0-2.el5_2.1.ppc64.rpm
s390x: tog-pegasus-2.7.0-2.el5_2.1.s390.rpm tog-pegasus-2.7.0-2.el5_2.1.s390x.rpm tog-pegasus-debuginfo-2.7.0-2.el5_2.1.s390.rpm tog-pegasus-debuginfo-2.7.0-2.el5_2.1.s390x.rpm

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2008:1001-01
Product: Red Hat Enterprise Linux
Issue date: 2008-11-25

Topic

Updated tog-pegasus packages that fix security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

Relevant Releases Architectures

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

Bugs Fixed

459217 - CVE-2008-4313 tog-pegasus: WBEM services access not restricted to dedicated user after 2.7.0 rebase

472017 - CVE-2008-4315 tog-pegasus: failed authentication attempts not logged via PAM

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here