Vulnerabilities > CVE-2014-0199 - Cryptographic Issues vulnerability in Redhat Rhevm-Reports
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The setup script in ovirt-engine-reports, as used in the Red Hat Enterprise Virtualization reports (rhevm-reports) package before 3.3.3, stores the reports database password in cleartext, which allows local users to obtain sensitive information by reading an unspecified file.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family | Red Hat Local Security Checks |
NASL id | REDHAT-RHSA-2014-0558.NASL |
description | An updated rhevm-reports package that fixes three security issues and one bug is now available. The Red Hat Security Response Team has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Red Hat Enterprise Virtualization reports package provides a suite of pre-configured reports and dashboards that enable you to monitor the system. The reports module is based on JasperReports and JasperServer, and can also be used to create ad-hoc reports. It was found that the ovirt-engine-reports setup script logged the reports database password in plain text to a world-readable file. An attacker with a local user account on the Red Hat Enterprise Virtualization Manager server could use this flaw to access, read, and modify the reports database. (CVE-2014-0199) Note: Applying the update provided by this advisory does not modify any existing log files. It is recommended that you search your existing log files and remove any occurrences of plain text passwords manually. It was found that the Red Hat Enterprise Virtualization Manager reports datasource configuration file (js-jboss7-ds.xml) was world-readable. An attacker with a local user account on the Red Hat Enterprise Virtualization Manager server could use this flaw to access, read, and modify the reports database. (CVE-2014-0200) It was found that multiple ovirt-engine-reports configuration files were world-readable. An attacker with a local user account on the Red Hat Enterprise Virtualization Manager server could use this flaw to access a variety of potentially sensitive information. (CVE-2014-0201) These issues were discovered by Red Hat. This update also fixes the following bug : * Previously, rhevm-reports-setup failed if the default spacing of the pg_hba.conf file was manually modified. Now, the command does not check exact spacing in the file, and setup completes successfully. (BZ#1085374) All rhevm-reports users are advised to upgrade to this updated package, which corrects these issues. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 79022 |
published | 2014-11-08 |
reporter | This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/79022 |
title | RHEL 6 : rhevm-reports 3.3.3 (RHSA-2014:0558) |
code |
|
Redhat
advisories |
| ||||
rpms | rhevm-reports-0:3.3.3-1.el6ev |