exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2017-2674-01

Red Hat Security Advisory 2017-2674-01
Posted Sep 18, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-2674-01 - Red Hat Mobile Application Platform 4.5 is delivered as a set of Docker-formatted container images.

tags | advisory
systems | linux, redhat
advisories | CVE-2017-1000117, CVE-2017-7552, CVE-2017-7553, CVE-2017-7554
SHA-256 | aa218b6f6c10015ca84e076a9a181086eca3ff4ebef126b5653ecfb133a0b658

Red Hat Security Advisory 2017-2674-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat Mobile Application Platform security update
Advisory ID: RHSA-2017:2674-01
Product: Red Hat Mobile Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2017:2674
Issue date: 2017-09-18
CVE Names: CVE-2017-1000117 CVE-2017-7552 CVE-2017-7553
CVE-2017-7554
=====================================================================

1. Summary:

An update is now available for Red Hat Mobile Application Platform 4.5.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Mobile Application Platform 4.5 - noarch, x86_64

3. Description:

Red Hat Mobile Application Platform (RHMAP) 4.5 is delivered as a set of
Docker-formatted container images.

In addition to the images, several components are delivered as RPMs:

* OpenShift templates used to deploy an RHMAP Core and MBaaS

* The fh-system-dump-tool allows you to analyze all the projects running in
an OpenShift cluster and reports any problems discovered. For more
information, see the Operations Guide

The following RPMs are included in the RHMAP container images, and are
provided here only for completeness:

* The Nagios server, which is used to monitor the status of RHMAP
components, is installed inside the Nagios container image.

This release serves as an update for Red Hat Mobile Application Platform
4.4.3. It includes bug fixes and enhancements. Refer to the Red Hat Mobile
Application Platform 4.5.0 Release Notes for information about the most
significant bug fixes and enhancements included in this release.

Nagios is a program that monitors hosts and services on your network, and
has the ability to send email or page alerts when a problem arises or is
resolved.

Security Fix(es):

* A shell command injection flaw related to the handling of "ssh" URLs has
been discovered in Git. An attacker could use this flaw to execute shell
commands with the privileges of the user running the Git client, for
example, when performing a "clone" action on a malicious repository or a
legitimate repository containing a malicious commit. (CVE-2017-1000117)

* A flaw was discovered in the file editor of millicore which allows files
to be executed as well as created. An attacker could use this flaw to
compromise other users or teams projects stored in source control
management of the RHMAP Core installation. (CVE-2017-7552)

* The external_request api call in App Studio (millicore) allows server
side request forgery (SSRF). An attacker could use this flaw to probe the
network internal resources and access restricted endpoints. (CVE-2017-7553)

* A flaw was found where the App Studio component of RHMAP 4.4 executes
javascript provided by a user. An attacker could use this flaw to execute a
stored XSS attack on an application administrator using App Studio.
(CVE-2017-7554)

Red Hat would like to thank Tomas Rzepka for reporting CVE-2017-7552,
CVE-2017-7553 and CVE-2017-7554.

4. Solution:

The RPM packages provided by this update can be downloaded from the
RHMAP Downloads page: https://access.redhat.com/downloads/content/316/

5. Bugs fixed (https://bugzilla.redhat.com/):

1477797 - CVE-2017-7552 RHMAP Millicore IDE allows RCE on SCM
1478770 - CVE-2017-7554 RHMAP: Stored XSS in App Store
1478792 - CVE-2017-7553 RHMAP: SSRF via external_request feature of App Studio
1480386 - CVE-2017-1000117 git: Command injection via malicious ssh URLs

6. JIRA issues fixed (https://issues.jboss.org/):

RHMAP-16510 - Productization: Create productized version of rpm containing openshift templates

7. Package List:

Red Hat Mobile Application Platform 4.5:

Source:
fh-system-dump-tool-1.0.0-5.el7.src.rpm
fping-3.10-4.el7map.src.rpm
nagios-4.0.8-8.el7map.src.rpm
nagios-plugins-2.0.3-3.el7map.src.rpm
perl-Crypt-CBC-2.33-2.el7map.src.rpm
perl-Crypt-DES-2.05-20.el7map.src.rpm
perl-Net-SNMP-6.0.1-7.el7map.src.rpm
phantomjs-1.9.7-3.el7map.src.rpm
python-meld3-0.6.10-1.el7map.src.rpm
qstat-2.11-13.20080912svn311.el7map.src.rpm
radiusclient-ng-0.5.6-9.el7map.src.rpm
redis-2.8.21-2.el7map.src.rpm
rhmap-fh-openshift-templates-4.5.0-11.el7.src.rpm
rhmap-mod_authnz_external-3.3.1-7.el7map.src.rpm
sendEmail-1.56-2.el7.src.rpm
ssmtp-2.64-14.el7map.src.rpm
supervisor-3.1.3-3.el7map.src.rpm

noarch:
perl-Crypt-CBC-2.33-2.el7map.noarch.rpm
perl-Net-SNMP-6.0.1-7.el7map.noarch.rpm
rhmap-fh-openshift-templates-4.5.0-11.el7.noarch.rpm
sendEmail-1.56-2.el7.noarch.rpm
supervisor-3.1.3-3.el7map.noarch.rpm

x86_64:
fh-system-dump-tool-1.0.0-5.el7.x86_64.rpm
fping-3.10-4.el7map.x86_64.rpm
fping-debuginfo-3.10-4.el7map.x86_64.rpm
nagios-4.0.8-8.el7map.x86_64.rpm
nagios-common-4.0.8-8.el7map.x86_64.rpm
nagios-debuginfo-4.0.8-8.el7map.x86_64.rpm
nagios-devel-4.0.8-8.el7map.x86_64.rpm
nagios-plugins-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-all-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-apt-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-breeze-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-by_ssh-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-cluster-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-dbi-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-debuginfo-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-dhcp-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-dig-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-disk-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-disk_smb-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-dns-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-dummy-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-file_age-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-flexlm-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-fping-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-game-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-hpjd-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-http-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-icmp-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-ide_smart-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-ifoperstatus-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-ifstatus-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-ircd-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-ldap-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-load-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-log-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-mailq-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-mrtg-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-mrtgtraf-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-mysql-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-nagios-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-nt-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-ntp-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-ntp-perl-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-nwstat-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-oracle-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-overcr-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-perl-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-pgsql-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-ping-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-procs-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-radius-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-real-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-rpc-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-sensors-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-smtp-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-snmp-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-ssh-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-swap-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-tcp-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-time-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-ups-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-uptime-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-users-2.0.3-3.el7map.x86_64.rpm
nagios-plugins-wave-2.0.3-3.el7map.x86_64.rpm
perl-Crypt-DES-2.05-20.el7map.x86_64.rpm
perl-Crypt-DES-debuginfo-2.05-20.el7map.x86_64.rpm
phantomjs-1.9.7-3.el7map.x86_64.rpm
phantomjs-debuginfo-1.9.7-3.el7map.x86_64.rpm
python-meld3-0.6.10-1.el7map.x86_64.rpm
python-meld3-debuginfo-0.6.10-1.el7map.x86_64.rpm
qstat-2.11-13.20080912svn311.el7map.x86_64.rpm
qstat-debuginfo-2.11-13.20080912svn311.el7map.x86_64.rpm
radiusclient-ng-0.5.6-9.el7map.x86_64.rpm
radiusclient-ng-debuginfo-0.5.6-9.el7map.x86_64.rpm
radiusclient-ng-devel-0.5.6-9.el7map.x86_64.rpm
radiusclient-ng-utils-0.5.6-9.el7map.x86_64.rpm
redis-2.8.21-2.el7map.x86_64.rpm
redis-debuginfo-2.8.21-2.el7map.x86_64.rpm
rhmap-mod_authnz_external-3.3.1-7.el7map.x86_64.rpm
rhmap-mod_authnz_external-debuginfo-3.3.1-7.el7map.x86_64.rpm
ssmtp-2.64-14.el7map.x86_64.rpm
ssmtp-debuginfo-2.64-14.el7map.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2017-1000117
https://access.redhat.com/security/cve/CVE-2017-7552
https://access.redhat.com/security/cve/CVE-2017-7553
https://access.redhat.com/security/cve/CVE-2017-7554
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-US/red_hat_mobile_application_platform/4.5/html-single/4.5.0_release_notes/

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZv4vDXlSAg2UNWIIRAvhdAJ0afexsTekPKk/naDTvMJjg4qS1sQCeNey5
1NZSLtvnw/AtaX5ggZy0qkw=
=nV0o
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close