[RHSA-2010:0613-01] Moderate: Red Hat Enterprise Virtualization Manager security update
bugzilla at redhat.com
bugzilla at redhat.com
Thu Aug 19 22:13:01 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Enterprise Virtualization Manager security update
Advisory ID: RHSA-2010:0613-01
Product: Red Hat Enterprise Virtualization
Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0613.html
Issue date: 2010-08-19
CVE Names: CVE-2009-3552
=====================================================================
1. Summary:
Red Hat Enterprise Virtualization Manager 2.2.2 is now available for Red
Hat Enterprise Virtualization.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Description:
Red Hat Enterprise Virtualization Manager is a visual tool for centrally
managing collections of virtual servers running Red Hat Enterprise Linux
and Microsoft Windows. This package also includes the Red Hat Enterprise
Virtualization Manager API, a set of scriptable commands that give
administrators the ability to perform queries and operations on Red Hat
Enterprise Virtualization Manager.
It was found that the SSL certificate was not verified when using the
client-side Red Hat Enterprise Virtualization Manager interface (a Windows
Presentation Foundation (WPF) XAML browser application) to connect to the
Red Hat Enterprise Virtualization Manager. An attacker on the local network
could use this flaw to conduct a man-in-the-middle attack, tricking the
user into thinking they are viewing the Red Hat Enterprise Virtualization
Manager when the content is actually attacker-controlled, or modifying
actions a user requested Red Hat Enterprise Virtualization Manager to
perform. (CVE-2009-3552)
Note: As part of the fix for CVE-2009-3552, this update changes the way the
client-side Red Hat Enterprise Virtualization Manager interface
communicates with the Red Hat Enterprise Virtualization Manager. After
installing this update, the following steps must be performed when using
HTTPS (that is, browsing to "https://localhost/RHEVmanager" or using the
new "RHEVManager SSL" shortcut):
1) If you have previously browsed to the administrator portal using HTTP,
you must remove the "RHEVManager/" cookie from Internet Explorer. After
removing this cookie, restart Internet Explorer.
2) Navigate to "https://localhost/RHEVmanager". You will be prompted to
install the Red Hat Enterprise Virtualization Manager CA (Certificate
Authority) certificate. Once installed, restart Internet Explorer.
It is recommended that you use the "https://" link or the "RHEVManager SSL"
shortcut to connect to the administrator portal, and no longer use the
"http://" link.
This updated Red Hat Enterprise Virtualization Manager package also fixes
several bugs. Documentation for these bug fixes will be available shortly
from
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization_for_Ser
vers/2.2/html/Technical_Notes/index.html
All Red Hat Enterprise Virtualization Manager users are advised to install
this updated package, which corrects this issue and fixes the bugs noted
in the Technical Notes document, linked to in the References.
3. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
4. Bugs fixed (http://bugzilla.redhat.com/):
528890 - CVE-2009-3552 RHEV-M VDC - GUI: Man in the middle attack possible on the GUI to Backend SSL connection
5. References:
https://www.redhat.com/security/data/cve/CVE-2009-3552.html
http://www.redhat.com/security/updates/classification/#moderate
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization_for_Servers/2.2/html/Technical_Notes/index.html
6. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2010 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFMbawiXlSAg2UNWIIRAtREAKCxzXV5gAuoyYG6tWrzwFT/WW9lYQCgmHxz
XVwuY/HfnBUYqlVbbpHJ9VU=
=3n2Z
-----END PGP SIGNATURE-----
More information about the rhev-watch-list
mailing list