Executive Summary

Summary
Title ipa security and bug fix update
Informations
Name RHSA-2020:0378 First vendor Publication 2020-02-04
Vendor RedHat Last vendor Modification 2020-02-04
Severity (Vendor) N/A Revision 01

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Overall CVSS Score 8.8
Base Score 8.8 Environmental Score 8.8
impact SubScore 5.9 Temporal Score 8.8
Exploitabality Sub Score 2.8
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction Required
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

An update for ipa is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.

Security Fix(es):

* ipa: Denial of service in IPA server due to wrong use of ber_scanf() (CVE-2019-14867)

* ipa: Batch API logging user passwords to /var/log/httpd/error_log (CVE-2019-10195)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Issue with adding multiple RHEL 7 IPA replica to RHEL 6 IPA master (BZ#1770728)

* User incorrectly added to negative cache when backend is reconnecting to IPA service / timed out: error code 32 'No such object' (BZ#1773953)

* After upgrade AD Trust Agents were removed from LDAP (BZ#1781153)

4. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1726223 - CVE-2019-10195 ipa: Batch API logging user passwords to /var/log/httpd/error_log 1766920 - CVE-2019-14867 ipa: Denial of service in IPA server due to wrong use of ber_scanf() 1770728 - Issue with adding multiple RHEL 7 IPA replica to RHEL 6 IPA master [rhel-7.7.z] 1781153 - After upgrade AD Trust Agents were removed from LDAP [rhel-7.7.z]

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2020-0378.html

CWE : Common Weakness Enumeration

% Id Name
33 % CWE-532 Information Leak Through Log Files
33 % CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
33 % CWE-94 Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 35
Os 2

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2020-05-23 13:03:45
  • Multiple Updates
2020-03-19 13:19:56
  • First insertion