Rapid7 Vulnerability & Exploit Database

RHSA-2012:0151: conga security, bug fix, and enhancement update

Back to Search

RHSA-2012:0151: conga security, bug fix, and enhancement update

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
06/06/2011
Created
07/25/2018
Added
02/21/2012
Modified
07/04/2017

Description

The conga packages provide a web-based administration tool for remotecluster and storage management.Multiple cross-site scripting (XSS) flaws were found in luci, the congaweb-based administration application. If a remote attacker could trick auser, who was logged into the luci interface, into visiting aspecially-crafted URL, it would lead to arbitrary web script execution inthe context of the user's luci session. (CVE-2010-1104, CVE-2011-1948)These updated conga packages include several bug fixes and an enhancement.Space precludes documenting all of these changes in this advisory. Usersare directed to the Red Hat Enterprise Linux 5.8 Technical Notes, linked toin the References, for information on the most significant of thesechanges.Users of conga are advised to upgrade to these updated packages, whichcorrect these issues and add this enhancement. After installing the updatedpackages, luci must be restarted ("service luci restart") for the update totake effect.

Solution(s)

  • redhat-upgrade-conga-debuginfo
  • redhat-upgrade-luci
  • redhat-upgrade-ricci

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;