CERT-In Vulnerability Note CIVN-2009-10
Red Hat Certificate Server Information Disclosure vulnerabilities

Original Issue Date:January 20, 2009

Severity Rating: Low

Systems Affected

• Red Hat Certificate Server 7.2

Overview

Two vulnerabilities has been identified in Red Hat Certificate Server 7.2 which could allow local users to disclose sensitive information.

Description

1. Insecure default file permissions local information     disclosure vulnerability (CVE-2008-2367)

This vulnerability is caused due to the insecure default file permissions on certain configuration files, such as password.conf, given by Red Hat Certificate Server. This vulnerability could allow local users to read Red Hat Certificate System configuration files containing sensitive information.

2. Debug logs plain text password local information disclosure     vulnerability (CVE-2008-2368)

Solution

Apply the relevant updates as mentioned by Red Hat Network
in advisory RHSA-2009-0006

Vendor Information

Red Hat
http://rhn.redhat.com/errata/RHSA-2009-0006.html

References

BugZilla
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=451998
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=452000

Secunia
http://secunia.com/Advisories/33540

SecurityFocus
http://www.securityfocus.com/bid/33288

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003