RHSA-2013:0545
Vulnerability from csaf_redhat - Published: 2013-02-21 18:53 - Updated: 2025-11-21 17:42Summary
Red Hat Security Advisory: CloudForms Cloud Engine 1.1.2 update
Notes
Topic
CloudForms Cloud Engine 1.1.2 is now available.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
Details
Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds. It provides self-service computing resources to
users in a managed, governed, and secure way. CloudForms Cloud Engine is a
management application for cloud resources.
It was found that the Aeolus Configuration Server stored passwords in plain
text in the world-readable "/var/log/aeolus-configserver/configserver.log"
file. A local attacker could use this flaw to obtain the administrative
passwords for other services (such as Katello, databases, and so on).
(CVE-2012-6117)
It was found that Conductor, the web-based management console, allowed
unprivileged users to modify their quota for the number of instances they
are allowed to run. An unprivileged user could use this flaw to monopolize
resources and run more instances than intended. (CVE-2012-6118)
It was found that the aeolus-configserver-setup script created a
world-readable file containing authentication details in plain text in the
"/tmp/" directory. A local attacker could use this flaw to obtain Audrey
credentials, allowing them to make configuration changes to Audrey-enabled
instances. (CVE-2012-5509)
The CVE-2012-6117 issue was discovered by James Laska of Red Hat;
CVE-2012-6118 was discovered by Tomas Sedovic of Red Hat; and CVE-2012-5509
was discovered by Aaron Weitekamp of the Red Hat Cloud Quality Engineering
team.
This update also fixes the following bug:
* A bug in the initial filter view for instances caused stopped instances
to display for the default "Non stopped applications" option until
auto-refresh. This bug fix corrects the form rendering for the filter view.
The filter view now displays only non-stopped instances. (BZ#895569)
Additionally, this update adds the following enhancements:
* Red Hat Enterprise Linux 5.9 support to guest image building in
CloudForms Cloud Engine. (BZ#903646)
* Support for Red Hat Enterprise Linux 5.9 Amazon Machine Images (AMI) on
Amazon Web Services (AWS) Elastic Compute Cloud (EC2) providers for
CloudForms Cloud Engine. (BZ#903651)
* Red Hat Enterprise Linux 6.4 support to guest image building in
CloudForms Cloud Engine. (BZ#903395)
* Support for Red Hat Enterprise Linux 6.4 Amazon Machine Images (AMI) on
Amazon Web Services (AWS) Elastic Compute Cloud (EC2) providers for
CloudForms Cloud Engine. (BZ#903650)
Refer to the CloudForms 1.1.2 Release Notes for further information about
this release. The Release Notes will be available shortly from
https://access.redhat.com/knowledge/docs/
To upgrade, follow the upgrade instructions in the CloudForms Installation
Guide:
https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/Updating_CloudForms_Cloud_Engine.html
Users of CloudForms Cloud Engine are advised to upgrade to these updated
packages.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "CloudForms Cloud Engine 1.1.2 is now available.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat CloudForms is an on-premise hybrid cloud\nInfrastructure-as-a-Service (IaaS) product that lets you create and manage\nprivate and public clouds. It provides self-service computing resources to\nusers in a managed, governed, and secure way. CloudForms Cloud Engine is a\nmanagement application for cloud resources.\n\nIt was found that the Aeolus Configuration Server stored passwords in plain\ntext in the world-readable \"/var/log/aeolus-configserver/configserver.log\"\nfile. A local attacker could use this flaw to obtain the administrative\npasswords for other services (such as Katello, databases, and so on).\n(CVE-2012-6117)\n\nIt was found that Conductor, the web-based management console, allowed\nunprivileged users to modify their quota for the number of instances they\nare allowed to run. An unprivileged user could use this flaw to monopolize\nresources and run more instances than intended. (CVE-2012-6118)\n\nIt was found that the aeolus-configserver-setup script created a\nworld-readable file containing authentication details in plain text in the\n\"/tmp/\" directory. A local attacker could use this flaw to obtain Audrey\ncredentials, allowing them to make configuration changes to Audrey-enabled\ninstances. (CVE-2012-5509)\n\nThe CVE-2012-6117 issue was discovered by James Laska of Red Hat;\nCVE-2012-6118 was discovered by Tomas Sedovic of Red Hat; and CVE-2012-5509\nwas discovered by Aaron Weitekamp of the Red Hat Cloud Quality Engineering\nteam.\n\nThis update also fixes the following bug:\n\n* A bug in the initial filter view for instances caused stopped instances\nto display for the default \"Non stopped applications\" option until\nauto-refresh. This bug fix corrects the form rendering for the filter view.\nThe filter view now displays only non-stopped instances. (BZ#895569)\n\nAdditionally, this update adds the following enhancements:\n\n* Red Hat Enterprise Linux 5.9 support to guest image building in\nCloudForms Cloud Engine. (BZ#903646)\n\n* Support for Red Hat Enterprise Linux 5.9 Amazon Machine Images (AMI) on\nAmazon Web Services (AWS) Elastic Compute Cloud (EC2) providers for\nCloudForms Cloud Engine. (BZ#903651)\n\n* Red Hat Enterprise Linux 6.4 support to guest image building in\nCloudForms Cloud Engine. (BZ#903395)\n\n* Support for Red Hat Enterprise Linux 6.4 Amazon Machine Images (AMI) on\nAmazon Web Services (AWS) Elastic Compute Cloud (EC2) providers for\nCloudForms Cloud Engine. (BZ#903650)\n\nRefer to the CloudForms 1.1.2 Release Notes for further information about\nthis release. The Release Notes will be available shortly from\nhttps://access.redhat.com/knowledge/docs/\n\nTo upgrade, follow the upgrade instructions in the CloudForms Installation\nGuide:\n\nhttps://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/Updating_CloudForms_Cloud_Engine.html\n\nUsers of CloudForms Cloud Engine are advised to upgrade to these updated\npackages.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:0545",
"url": "https://access.redhat.com/errata/RHSA-2013:0545"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/knowledge/docs/",
"url": "https://access.redhat.com/knowledge/docs/"
},
{
"category": "external",
"summary": "https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/Updating_CloudForms_Cloud_Engine.html",
"url": "https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/Updating_CloudForms_Cloud_Engine.html"
},
{
"category": "external",
"summary": "875294",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=875294"
},
{
"category": "external",
"summary": "895569",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=895569"
},
{
"category": "external",
"summary": "903395",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903395"
},
{
"category": "external",
"summary": "903646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903646"
},
{
"category": "external",
"summary": "903650",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903650"
},
{
"category": "external",
"summary": "903651",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=903651"
},
{
"category": "external",
"summary": "906192",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=906192"
},
{
"category": "external",
"summary": "906201",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=906201"
},
{
"category": "external",
"summary": "912395",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=912395"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0545.json"
}
],
"title": "Red Hat Security Advisory: CloudForms Cloud Engine 1.1.2 update",
"tracking": {
"current_release_date": "2025-11-21T17:42:33+00:00",
"generator": {
"date": "2025-11-21T17:42:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2013:0545",
"initial_release_date": "2013-02-21T18:53:00+00:00",
"revision_history": [
{
"date": "2013-02-21T18:53:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-02-21T19:01:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T17:42:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CloudForms Cloud Engine for RHEL 6 Server",
"product": {
"name": "CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine",
"product_identification_helper": {
"cpe": "cpe:/a:cloudforms_cloudengine:1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch",
"product": {
"name": "aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch",
"product_id": "aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/aeolus-conductor-daemons@0.13.26-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch",
"product": {
"name": "aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch",
"product_id": "aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/aeolus-conductor-doc@0.13.26-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch",
"product": {
"name": "aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch",
"product_id": "aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/aeolus-conductor-devel@0.13.26-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "aeolus-all-0:0.13.26-1.el6cf.noarch",
"product": {
"name": "aeolus-all-0:0.13.26-1.el6cf.noarch",
"product_id": "aeolus-all-0:0.13.26-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/aeolus-all@0.13.26-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "aeolus-conductor-0:0.13.26-1.el6cf.noarch",
"product": {
"name": "aeolus-conductor-0:0.13.26-1.el6cf.noarch",
"product_id": "aeolus-conductor-0:0.13.26-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/aeolus-conductor@0.13.26-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "oz-0:0.8.0-8.el6cf.noarch",
"product": {
"name": "oz-0:0.8.0-8.el6cf.noarch",
"product_id": "oz-0:0.8.0-8.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/oz@0.8.0-8.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "aeolus-configserver-0:0.4.12-3.el6cf.noarch",
"product": {
"name": "aeolus-configserver-0:0.4.12-3.el6cf.noarch",
"product_id": "aeolus-configserver-0:0.4.12-3.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/aeolus-configserver@0.4.12-3.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch",
"product": {
"name": "imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch",
"product_id": "imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/imagefactory-jeosconf-ec2-fedora@1.0.3-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch",
"product": {
"name": "imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch",
"product_id": "imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/imagefactory-jeosconf-ec2-rhel@1.0.3-1.el6cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "imagefactory-0:1.0.3-1.el6cf.noarch",
"product": {
"name": "imagefactory-0:1.0.3-1.el6cf.noarch",
"product_id": "imagefactory-0:1.0.3-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/imagefactory@1.0.3-1.el6cf?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "aeolus-conductor-0:0.13.26-1.el6cf.src",
"product": {
"name": "aeolus-conductor-0:0.13.26-1.el6cf.src",
"product_id": "aeolus-conductor-0:0.13.26-1.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/aeolus-conductor@0.13.26-1.el6cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "oz-0:0.8.0-8.el6cf.src",
"product": {
"name": "oz-0:0.8.0-8.el6cf.src",
"product_id": "oz-0:0.8.0-8.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/oz@0.8.0-8.el6cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "aeolus-configserver-0:0.4.12-3.el6cf.src",
"product": {
"name": "aeolus-configserver-0:0.4.12-3.el6cf.src",
"product_id": "aeolus-configserver-0:0.4.12-3.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/aeolus-configserver@0.4.12-3.el6cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "imagefactory-0:1.0.3-1.el6cf.src",
"product": {
"name": "imagefactory-0:1.0.3-1.el6cf.src",
"product_id": "imagefactory-0:1.0.3-1.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/imagefactory@1.0.3-1.el6cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "aeolus-all-0:0.13.26-1.el6cf.noarch as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:aeolus-all-0:0.13.26-1.el6cf.noarch"
},
"product_reference": "aeolus-all-0:0.13.26-1.el6cf.noarch",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "aeolus-conductor-0:0.13.26-1.el6cf.noarch as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.noarch"
},
"product_reference": "aeolus-conductor-0:0.13.26-1.el6cf.noarch",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "aeolus-conductor-0:0.13.26-1.el6cf.src as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.src"
},
"product_reference": "aeolus-conductor-0:0.13.26-1.el6cf.src",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch"
},
"product_reference": "aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch"
},
"product_reference": "aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch"
},
"product_reference": "aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "aeolus-configserver-0:0.4.12-3.el6cf.noarch as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.noarch"
},
"product_reference": "aeolus-configserver-0:0.4.12-3.el6cf.noarch",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "aeolus-configserver-0:0.4.12-3.el6cf.src as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.src"
},
"product_reference": "aeolus-configserver-0:0.4.12-3.el6cf.src",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "imagefactory-0:1.0.3-1.el6cf.noarch as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.noarch"
},
"product_reference": "imagefactory-0:1.0.3-1.el6cf.noarch",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "imagefactory-0:1.0.3-1.el6cf.src as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.src"
},
"product_reference": "imagefactory-0:1.0.3-1.el6cf.src",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch"
},
"product_reference": "imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch"
},
"product_reference": "imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oz-0:0.8.0-8.el6cf.noarch as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:oz-0:0.8.0-8.el6cf.noarch"
},
"product_reference": "oz-0:0.8.0-8.el6cf.noarch",
"relates_to_product_reference": "6Server-CloudEngine"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oz-0:0.8.0-8.el6cf.src as a component of CloudForms Cloud Engine for RHEL 6 Server",
"product_id": "6Server-CloudEngine:oz-0:0.8.0-8.el6cf.src"
},
"product_reference": "oz-0:0.8.0-8.el6cf.src",
"relates_to_product_reference": "6Server-CloudEngine"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Aaron Weitekamp"
],
"organization": "Red Hat Cloud Quality Engineering team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2012-5509",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2012-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "875294"
}
],
"notes": [
{
"category": "description",
"text": "aeolus-configserver-setup in the Aeolas Configuration Server, as used in Red Hat CloudForms Cloud Engine before 1.1.2, uses world-readable permissions for a temporary file in /tmp, which allows local users to read credentials by reading this file.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "aeolus-configserver: aeolus-configserver-setup /tmp file conductor credentials leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CloudEngine:aeolus-all-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.src",
"6Server-CloudEngine:aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.src",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.src",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5509"
},
{
"category": "external",
"summary": "RHBZ#875294",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=875294"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5509",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5509"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5509",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5509"
}
],
"release_date": "2013-02-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-02-21T18:53:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-CloudEngine:aeolus-all-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.src",
"6Server-CloudEngine:aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.src",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.src",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0545"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"6Server-CloudEngine:aeolus-all-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.src",
"6Server-CloudEngine:aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.src",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.src",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "aeolus-configserver: aeolus-configserver-setup /tmp file conductor credentials leak"
},
{
"acknowledgments": [
{
"names": [
"James Laska"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2012-6117",
"discovery_date": "2012-11-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "906201"
}
],
"notes": [
{
"category": "description",
"text": "Aeolus Configuration Server, as used in Red Hat CloudForms Cloud Engine before 1.1.2, uses world-readable permissions for /var/log/aeolus-configserver/configserver.log, which allows local users to read plaintext passwords by reading the log file.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Configserver: Passwords from application blueprint stored plaintext in configserver.log",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CloudEngine:aeolus-all-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.src",
"6Server-CloudEngine:aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.src",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.src",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-6117"
},
{
"category": "external",
"summary": "RHBZ#906201",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=906201"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-6117",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6117"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-6117",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6117"
}
],
"release_date": "2012-11-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-02-21T18:53:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-CloudEngine:aeolus-all-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.src",
"6Server-CloudEngine:aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.src",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.src",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0545"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"6Server-CloudEngine:aeolus-all-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.src",
"6Server-CloudEngine:aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.src",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.src",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Configserver: Passwords from application blueprint stored plaintext in configserver.log"
},
{
"acknowledgments": [
{
"names": [
"Tomas Sedovic"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2012-6118",
"discovery_date": "2012-12-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "906192"
}
],
"notes": [
{
"category": "description",
"text": "The Administer tab in Aeolus Conductor allows remote authenticated users to bypass intended quota restrictions by updating the Maximum Running Instances quota user setting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Conductor: Unprivileged user can change their own Maximum Running Instances quota",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CloudEngine:aeolus-all-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.src",
"6Server-CloudEngine:aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.src",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.src",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-6118"
},
{
"category": "external",
"summary": "RHBZ#906192",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=906192"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-6118",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6118"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-6118",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6118"
}
],
"release_date": "2013-02-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-02-21T18:53:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-CloudEngine:aeolus-all-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.src",
"6Server-CloudEngine:aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.src",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.src",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0545"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-CloudEngine:aeolus-all-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-0:0.13.26-1.el6cf.src",
"6Server-CloudEngine:aeolus-conductor-daemons-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-devel-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-conductor-doc-0:0.13.26-1.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.noarch",
"6Server-CloudEngine:aeolus-configserver-0:0.4.12-3.el6cf.src",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-0:1.0.3-1.el6cf.src",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-fedora-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:imagefactory-jeosconf-ec2-rhel-0:1.0.3-1.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.noarch",
"6Server-CloudEngine:oz-0:0.8.0-8.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Conductor: Unprivileged user can change their own Maximum Running Instances quota"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…