RedHat: RHSA-2018-2373:01 Critical: redhat-certification security update
Summary
The redhat-certification package provides partners with a unified web-based
user interface to certify their products for use on Red Hat Infrastructure.
It can currently be used in the latest releases of Red Hat Certified Cloud
and Service Provider Certification, Red Hat OpenStack Certification and Red
Hat Hardware Certification Programs.
Security Fix(es):
* redhat-certification: rhcertStore.py:__saveResultsFile allows to write
any file (CVE-2018-10870)
* redhat-certification: /download allows to download any file
(CVE-2018-10869)
* redhat-certification: resource consumption in DocumentBase:loadFiltered
(CVE-2018-10864)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
These issues were discovered by Riccardo Schirone (Red Hat Product
Security).
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2018-10864 https://access.redhat.com/security/cve/CVE-2018-10869 https://access.redhat.com/security/cve/CVE-2018-10870 https://access.redhat.com/security/updates/classification/#critical
Package List
Red Hat Certification for Red Hat Enterprise Linux 7:
Source:
redhat-certification-5.16-20180809.el7.src.rpm
redhat-certification-hardware-5.16-20180809.1.el7.src.rpm
redhat-certification-hardware-preview-5.16-20180809.1.el7.src.rpm
noarch:
redhat-certification-5.16-20180809.el7.noarch.rpm
redhat-certification-backend-5.16-20180809.el7.noarch.rpm
redhat-certification-baremetal-5.16-20180809.el7.noarch.rpm
redhat-certification-cloud-5.16-20180809.el7.noarch.rpm
redhat-certification-hardware-5.16-20180809.1.el7.noarch.rpm
redhat-certification-hardware-preview-5.16-20180809.1.el7.noarch.rpm
redhat-certification-openstack-5.16-20180809.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update for redhat-certification is now available for Red HatCertification for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Red Hat Certification for Red Hat Enterprise Linux 7 - noarch
Bugs Fixed
1593627 - CVE-2018-10864 redhat-certification: resource consumption in DocumentBase:loadFiltered
1593780 - CVE-2018-10869 redhat-certification: /download allows to download any file
1593803 - CVE-2018-10870 redhat-certification: rhcertStore.py:__saveResultsFile allows to write any file