- Vulnerability/
- RHSA-2013:1263
RHSA-2013:1263: Moderate: Red Hat Storage Console 2.1 security update
First published: Mon Sep 16 2013(Updated: )
Red Hat Storage Console (RHS-C) is a powerful and simple web based<br>Graphical User Interface for managing a Red Hat Storage 2.1 environment.<br>This feature is provided as a Technology Preview, and is currently not<br>supported under Red Hat Storage subscription services. Refer to the<br>following for more information about Technology Previews:<br><a href="https://access.redhat.com/support/offerings/techpreview/" target="_blank">https://access.redhat.com/support/offerings/techpreview/</a> It was found that RESTEasy was vulnerable to XML External Entity (XXE)<br>attacks. If a remote attacker who is able to access the Red Hat Storage<br>Console REST API submitted a request containing an external XML entity<br>to a RESTEasy endpoint, the entity would be resolved, allowing the<br>attacker to read files accessible to the user running the application<br>server. This flaw affected DOM (Document Object Model) Document and JAXB<br>(Java Architecture for XML Binding) input. (CVE-2012-0818)<br>This update also fixes the following bugs:<br><li> A new server could not be added to a cluster if the required packages</li> were not installed on the server. Now, the administrator can add a server<br>to a cluster which will automatically install the required packages, if<br>missing. (BZ#850431)<br><li> Previously, the rhs-log-collector tool did not collect GlusterFS related</li> logs. (BZ#855271)<br><li> Previously, it was not possible for rhsc-setup to complete successfully</li> on systems that have SELinux in disabled mode. (BZ#841342)<br><li> The 'Add Brick' button in the 'Add Bricks' pop up is now placed next to</li> the 'Brick Directory' field for a better UI experience. (BZ#863929)<br><li> The UUID of the volume was not visible. Now, a new field is added to the</li> 'Summary' sub-tab of the 'Volumes' tab to display the UUIDs. (BZ#887806)<br><li> The web console was not accessible after a server reboot. The setup</li> mechanism has been modified to ensure the web console is accessible after a<br>server reboot. (BZ#838284)<br>This update also adds the following enhancements:<br><li> Previously, to import an existing storage cluster into the Red Hat</li> Storage Console the hosts were added one by one. Now, a new feature has<br>been added that allows users to import an existing storage cluster. The new<br>Cluster Creation window has an option to import an existing storage<br>cluster. If IP_Address or the hostname and password of one of the hosts of<br>the cluster is entered, a list containing all the hosts of the cluster is<br>displayed and the same can be added to the Console. The volumes which are<br>part of the cluster also get imported. (BZ#850438)<br><li> The command line was required to enable a volume to use CIFS. Now, you</li> can enable or disable the export of a volume with the new 'CIFS' checkbox<br>in the 'Create Volume' window. (BZ#850452)<br><li> The new Red Hat Support plug-in for Red Hat Storage is a Technology</li> Preview feature that offers seamless, integrated access to the Red Hat<br>subscription services from the Red Hat Customer Portal. Subscribers who<br>install this plug-in can access these features:<br><li> Create, manage, and update the Red Hat support cases.</li> <li> Conveniently access exclusive Red Hat knowledge and solutions.</li> <li> Search error codes, messages, etc. and view related knowledge from the</li> Red Hat Customer Portal. (BZ#999245)<br><li> A new 'Event ID' column is added to the 'Events' table in the 'Advanced</li> View' of 'Events' tab which allows users to see the ID of each event in the<br>'Events' tab. (BZ#889942)<br><li> A new feature is added to manage and monitor the hooks on the Console. It</li> also reports changes in the hooks and checks for new hook scripts by<br>polling at regular intervals. (BZ#850483)<br><li> A new 'Optimize for Virt Store' option is added to optimize a volume to</li> use it as a virt store. The system sets the "virt" group option on the<br>volume and also the following two volume options:<br><li> storage.owner-uid=36</li> <li> storage.owner-gid=36</li> This option is available during volume creation and also for existing<br>volumes. (BZ#891493, BZ#891491)<br>All users of Red Hat Storage Server 2.1 are advised to upgrade to these<br>updated packages.<br>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/otopi | <1.1.0-1.el6e | 1.1.0-1.el6e |
| redhat/ovirt-host-deploy | <1.1.0-1.el6e | 1.1.0-1.el6e |
| redhat/python-daemon | <1.5.2-1.el6 | 1.5.2-1.el6 |
| redhat/python-kitchen | <1.1.1-2.el6e | 1.1.1-2.el6e |
| redhat/python-lockfile | <0.8-5.el6 | 0.8-5.el6 |
| redhat/python-ply | <3.3-7.el6e | 3.3-7.el6e |
| redhat/redhat-access-plugin-storage | <2.1.0-0.el6 | 2.1.0-0.el6 |
| redhat/rhsc | <2.1.0-0.bb10.el6 | 2.1.0-0.bb10.el6 |
| redhat/rhsc-cli | <2.1.0.0-0.bb3a.el6 | 2.1.0.0-0.bb3a.el6 |
| redhat/rhsc-log-collector | <2.1-0.1.el6 | 2.1-0.1.el6 |
| redhat/rhsc-sdk | <2.1.0.0-0.bb3a.el6 | 2.1.0.0-0.bb3a.el6 |
| redhat/otopi-devel | <1.1.0-1.el6e | 1.1.0-1.el6e |
| redhat/otopi-java | <1.1.0-1.el6e | 1.1.0-1.el6e |
| redhat/otopi-repolib | <1.1.0-1.el6e | 1.1.0-1.el6e |
| redhat/ovirt-host-deploy-java | <1.1.0-1.el6e | 1.1.0-1.el6e |
| redhat/ovirt-host-deploy-repolib | <1.1.0-1.el6e | 1.1.0-1.el6e |
| redhat/python-daemon | <1.5.2-1.el6 | 1.5.2-1.el6 |
| redhat/python-lockfile | <0.8-5.el6 | 0.8-5.el6 |
| redhat/rhsc-backend | <2.1.0-0.bb10.el6 | 2.1.0-0.bb10.el6 |
| redhat/rhsc-dbscripts | <2.1.0-0.bb10.el6 | 2.1.0-0.bb10.el6 |
| redhat/rhsc-restapi | <2.1.0-0.bb10.el6 | 2.1.0-0.bb10.el6 |
| redhat/rhsc-setup | <2.1.0-0.bb10.el6 | 2.1.0-0.bb10.el6 |
| redhat/rhsc-tools | <2.1.0-0.bb10.el6 | 2.1.0-0.bb10.el6 |
| redhat/rhsc-webadmin-portal | <2.1.0-0.bb10.el6 | 2.1.0-0.bb10.el6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=785631
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=855271
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=863929
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=887806
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=889942
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/support/offerings/techpreview/
- https://access.redhat.com/errata/RHSA-2013:1263 (Advisory)
- collector/redhat-errata
- anchor-id/RHSA-2013:1263
- agent/title
- agent/references
- agent/severity
- agent/type
- agent/event
- agent/description
- agent/remedy
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- package-manager/redhat