RHSA-2013:1852: Moderate: Red Hat Enterprise MRG Grid 2.4 security update

First published: Tue Dec 17 2013(Updated: )

Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation<br>IT infrastructure for enterprise computing. MRG offers increased<br>performance, reliability, interoperability, and faster computing for<br>enterprise customers.<br>MRG Grid provides high-throughput computing and enables enterprises to<br>achieve higher peak computing capacity as well as improved infrastructure<br>utilization by leveraging their existing technology to build high<br>performance grids. MRG Grid provides a job-queueing mechanism, scheduling<br>policy, and a priority scheme, as well as resource monitoring and resource<br>management. Users submit their jobs to MRG Grid, where they are placed into<br>a queue. MRG Grid then chooses when and where to run the jobs based upon a<br>policy, carefully monitors their progress, and ultimately informs the user<br>upon completion.<br>It was found that, when using RubyGems, the connection could be redirected<br>from HTTPS to HTTP. This could lead to a user believing they are installing<br>a gem via HTTPS, when the connection may have been silently downgraded to<br>HTTP. (CVE-2012-2125)<br>It was found that RubyGems did not verify SSL connections. This could lead<br>to man-in-the-middle attacks. (CVE-2012-2126)<br>It was discovered that the rubygems API validated version strings using an<br>unsafe regular expression. An application making use of this API to process<br>a version string from an untrusted source could be vulnerable to a denial<br>of service attack through CPU exhaustion. (CVE-2013-4287)<br>A flaw was found in the way cumin enforced user roles, allowing an<br>unprivileged cumin user to access a range of resources without having the<br>appropriate role. A remote, authenticated attacker could use this flaw to<br>access privileged information, and perform a variety of privileged<br>operations. (CVE-2013-4404)<br>It was found that multiple forms in the cumin web interface did not protect<br>against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker<br>could trick a user, who is logged into the cumin web interface, into<br>visiting a specially crafted URL, the attacker could perform actions in the<br>context of the logged in user. (CVE-2013-4405)<br>It was found that cumin did not properly escape input from the "Max<br>allowance" field in the "Set limit" form of the cumin web interface.<br>A remote attacker could use this flaw to perform cross-site scripting (XSS)<br>attacks against victims by tricking them into visiting a specially crafted<br>URL. (CVE-2013-4414)<br>A flaw was found in the way cumin parsed POST request data. A remote<br>attacker could potentially use this flaw to perform SQL injection attacks<br>on cumin's database. (CVE-2013-4461)<br>Red Hat would like to thank Rubygems upstream for reporting CVE-2013-4287.<br>Upstream acknowledges Damir Sharipov as the original reporter of<br>CVE-2013-4287. The CVE-2013-4404, CVE-2013-4405, CVE-2013-4414, and<br>CVE-2013-4461 issues were discovered by Tomáš Nováčik of the Red Hat MRG<br>Quality Engineering team.<br>All users of the Grid capabilities of Red Hat Enterprise MRG are advised to<br>upgrade to these updated packages, which correct these issues.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2013:1852
• agent/severity
• agent/references
• agent/weakness
• agent/title
• agent/description
• agent/tags
• agent/type
• agent/event
• agent/softwarecombine
• agent/first-publish-date
• agent/remedy
• agent/last-modified-date
• package-manager/redhat