Security Advisory Moderate: Red Hat Storage Console 2.1 security update

Advisory: RHSA-2013:1263-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-09-16
Last updated on: 2013-09-16
Affected Products: Red Hat Storage Management Console 2.1
CVEs ( CVE-2012-0818


Updated Red Hat Storage Console packages that fix one security issue,
various bugs, and add enhancements are now available for Red Hat Storage
Server 2.1.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Red Hat Storage Console (RHS-C) is a powerful and simple web based
Graphical User Interface for managing a Red Hat Storage 2.1 environment.
This feature is provided as a Technology Preview, and is currently not
supported under Red Hat Storage subscription services. Refer to the
following for more information about Technology Previews:

It was found that RESTEasy was vulnerable to XML External Entity (XXE)
attacks. If a remote attacker who is able to access the Red Hat Storage
Console REST API submitted a request containing an external XML entity
to a RESTEasy endpoint, the entity would be resolved, allowing the
attacker to read files accessible to the user running the application
server. This flaw affected DOM (Document Object Model) Document and JAXB
(Java Architecture for XML Binding) input. (CVE-2012-0818)

This update also fixes the following bugs:

* A new server could not be added to a cluster if the required packages
were not installed on the server. Now, the administrator can add a server
to a cluster which will automatically install the required packages, if
missing. (BZ#850431)

* Previously, the rhs-log-collector tool did not collect GlusterFS related
logs. (BZ#855271)

* Previously, it was not possible for rhsc-setup to complete successfully
on systems that have SELinux in disabled mode. (BZ#841342)

* The 'Add Brick' button in the 'Add Bricks' pop up is now placed next to
the 'Brick Directory' field for a better UI experience. (BZ#863929)

* The UUID of the volume was not visible. Now, a new field is added to the
'Summary' sub-tab of the 'Volumes' tab to display the UUIDs. (BZ#887806)

* The web console was not accessible after a server reboot. The setup
mechanism has been modified to ensure the web console is accessible after a
server reboot. (BZ#838284)

This update also adds the following enhancements:

* Previously, to import an existing storage cluster into the Red Hat
Storage Console the hosts were added one by one. Now, a new feature has
been added that allows users to import an existing storage cluster. The new
Cluster Creation window has an option to import an existing storage
cluster. If IP_Address or the hostname and password of one of the hosts of
the cluster is entered, a list containing all the hosts of the cluster is
displayed and the same can be added to the Console. The volumes which are
part of the cluster also get imported. (BZ#850438)

* The command line was required to enable a volume to use CIFS. Now, you
can enable or disable the export of a volume with the new 'CIFS' checkbox
in the 'Create Volume' window. (BZ#850452)

* The new Red Hat Support plug-in for Red Hat Storage is a Technology
Preview feature that offers seamless, integrated access to the Red Hat
subscription services from the Red Hat Customer Portal. Subscribers who
install this plug-in can access these features:

- Create, manage, and update the Red Hat support cases.
- Conveniently access exclusive Red Hat knowledge and solutions.
- Search error codes, messages, etc. and view related knowledge from the
Red Hat Customer Portal. (BZ#999245)

* A new 'Event ID' column is added to the 'Events' table in the 'Advanced
View' of 'Events' tab which allows users to see the ID of each event in the
'Events' tab. (BZ#889942)

* A new feature is added to manage and monitor the hooks on the Console. It
also reports changes in the hooks and checks for new hook scripts by
polling at regular intervals. (BZ#850483)

* A new 'Optimize for Virt Store' option is added to optimize a volume to
use it as a virt store. The system sets the "virt" group option on the
volume and also the following two volume options:

- storage.owner-uid=36
- storage.owner-gid=36

This option is available during volume creation and also for existing
volumes. (BZ#891493, BZ#891491)

All users of Red Hat Storage Server 2.1 are advised to upgrade to these
updated packages.


Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

Updated packages

Red Hat Storage Management Console 2.1

File outdated by:  RHEA-2014:0208
    MD5: d311b6c1ae4d394819ca79afe83efd81
SHA-256: 7a20857db4ad130d4c11f03e1d414d722d252cc3a4633ccd83554a284a33ea4b
File outdated by:  RHEA-2014:0208
    MD5: 945e37ea037d3ae2436a831004d57be4
SHA-256: e6c884bc85603dcecdb32bac355312c2bdc54381fd99b360d8abb107bb6621d4
python-daemon-1.5.2-1.el6.src.rpm     MD5: 85fc606011bfccd6e1679a220939db61
SHA-256: 77df95cd39f16cf585269e96e5e4830421d64f074698c7d359d7bd7804b214a3
python-kitchen-1.1.1-2.el6ev.src.rpm     MD5: 1cfa61aa6238207c7e9557c603807493
SHA-256: 6e7741f850dbf97470827c55192a09bcfe95aa2af72e8e4ee63fa680c5e6e7b2
python-lockfile-0.8-5.el6.src.rpm     MD5: e989089344cac3f632f221443325b458
SHA-256: 5150a12e3ae0393b28a8dbfe511db5fb15d416571bf618e52aa0b5adc69f8879
python-ply-3.3-7.el6ev.src.rpm     MD5: 60fb5f96298595c6d534e64833b86258
SHA-256: 714c36bd0a7ccf4dc8b45085f8379c6f0d74d329d3973f6e8bccead0f3535e20
redhat-access-plugin-storage-2.1.0-0.el6rhs.src.rpm     MD5: d72192c682ce27e05da7da16a38a4795
SHA-256: 4540cf2161d390f77423ccc0b866ee0962ee8a56dec4836bc4fe4c7340b0129d
File outdated by:  RHBA-2015:0096
    MD5: 9ba2ffb3b05da5152e918480b19fe76f
SHA-256: 49f4ea372d43169397c0ddc90ac4ceda0e2be340ca2eed58b17e3c00e3d632a5
File outdated by:  RHEA-2014:0208
    MD5: 6f47255bee39d598baab3f82ac5ec9dd
SHA-256: febcdec495ab4bb9969ff4d5de9723962d1f579078039d6b1bb17f51498c10d6
File outdated by:  RHEA-2014:0208
    MD5: a8049ee1e056317ea2afd53246fce35b
SHA-256: 3bdff54dba38d2ba80ccb6eb0cbff6f761335717c0c7692ff4248780d0001608
rhsc-sdk-     MD5: 60a5bf69718bfb5d1ee1d98d9b4d153a
SHA-256: 552a7f6054dc964cacc436764369ed05a8bd608ff33dbf910017cc433b03489a
File outdated by:  RHEA-2014:0208
    MD5: 88802c341e2a2c040e86d3c6df42ce1a
SHA-256: 3284733c6b04f27d7d9e9898ed9ab0083064f5af71fd34703d794b0390609715
File outdated by:  RHEA-2014:0208
    MD5: a9749daaae9bc1eed74910c4993b80b9
SHA-256: 47ca2aa474a4828d9214d20f4c35c6900c332a9da520f0f866e034dd18ec7362
File outdated by:  RHEA-2014:0208
    MD5: 041a3f1a516993699dc601d91ab376c0
SHA-256: 323f6a13a89410ec2640d82344a18ab1a8cf9e82d6f6adee7a96f17542b3c1a8
File outdated by:  RHEA-2014:0208
    MD5: f9f317b70c642922c18c5e31470bc91b
SHA-256: 1bc41118d75eff5586526edce09e0ed6b9caed614116ba9cd7563a20a3a94c19
File outdated by:  RHEA-2014:0208
    MD5: 8a275b8210ed99219c16c2ff1cf0970e
SHA-256: b5c67a178cc89797930dbe09f9874e8f0b577b29f70f338960b6abf14872efd5
File outdated by:  RHEA-2014:0208
    MD5: 625546ae492f1c972710ca109d531e10
SHA-256: 072df368c4a9564e68fe6ae002acdff866f9486f4f4112fc21bd3a556056bfe4
File outdated by:  RHEA-2014:0208
    MD5: d9e4311cc87f68a347102f00c441dc25
SHA-256: eb3a75f421ea0e99cd2f37dfafc8c2185e8c030d58dc043667f5f3c3b2ee2f3d
python-daemon-1.5.2-1.el6.noarch.rpm     MD5: c1181da843ff8dd59a9533ccae5c0b10
SHA-256: 83f1b9467ddb636ea13fd4805b34f84d21a1b53253dbf0fd00cab13e138b6f7f
python-kitchen-1.1.1-2.el6ev.noarch.rpm     MD5: 6d1e8ad814c8a490d4654f05b7e8d3a7
SHA-256: 9a48b73251fa19e8c80e3eda55d80905634a0cc400f62647403f9273f8c29d9e
python-lockfile-0.8-5.el6.noarch.rpm     MD5: 42a106bdc74b162ebde2bcd90d569df6
SHA-256: 7bd6d47b7da1b9cb804056a43dbea4d3a851e2e7956fd8ef81f24b9322e7e72f
python-ply-3.3-7.el6ev.noarch.rpm     MD5: 3e4fceddddda36d8625607d643cae579
SHA-256: 053727954464a2fa9755c06db33ad2db1a3db732861bdabfd09fe197c1cebc5a
redhat-access-plugin-storage-2.1.0-0.el6rhs.noarch.rpm     MD5: 2b7044bdaa3f7d7bf2d175487b943e6e
SHA-256: 3e83b4ed2bcd23153fff36e6f1ea045880a36c5186f058e330b8f6f8e2d4ea01
File outdated by:  RHBA-2015:0096
    MD5: 68de3356f367fdc960c0d44ab6c0a9bd
SHA-256: 20d0914e1de841d44aa2b48ca456f8170a88306c2cd39d854a70d7884f140c11
File outdated by:  RHBA-2015:0096
    MD5: e582b249556c1bdf03543a54dae99695
SHA-256: 8e0ee8701169e7c303f6adc8d1f7104b595e8d743f2bb70c9ad96d3e7ba9e874
File outdated by:  RHEA-2014:0208
    MD5: 5b346529244bb7a1b26e8aa602806471
SHA-256: 00a1e8b0fab115e7a20135e8147bdfe399d4006a29c2c45d46cdfa1e0c3bda29
File outdated by:  RHBA-2015:0096
    MD5: d971faf236a55270edeb9018feca8aed
SHA-256: 4ddab4a9ab3e9ad6e15d487b038f4e30c85f75b68d38ab7a118a14eac47a2243
File outdated by:  RHEA-2014:0208
    MD5: c9c480e4db01f950daf3f5bd24ddee05
SHA-256: eba03b1361ddb9dc6d70354fa2a909b8d43fa3a37f396906dd7ce71323a5b254
File outdated by:  RHBA-2015:0096
    MD5: fc178e2847f4cb45d91eca2a2e3717dd
SHA-256: 5fb17b995b1fe8ecf83aa26d5710e64387b74de348a779ea432c9ac405c790e3
rhsc-sdk-     MD5: b1ddf61599d650e31ac7433fb4a23f98
SHA-256: 609eb05edd2c19c2f8580c8a075a5ec3381d67935aaaa415b60d83643c8bd91d
File outdated by:  RHBA-2015:0096
    MD5: ffacb4eb35d572663c18f6aea868fd93
SHA-256: 1f97313ca6bce3c4adcfbd8d2b9da576c4481968b103d8ce4a769ab31c411d3d
File outdated by:  RHBA-2015:0096
    MD5: b09634cbb76291061ebb321e3709ddda
SHA-256: 752949ad9e550a8ac239bf4b26ea2689f40102532e0d663f55c5713b56947fb0
File outdated by:  RHBA-2015:0096
    MD5: 59ee0df9b16e40450171662db2136c22
SHA-256: 06bc9196619d0a1990b765ea051fd792183723f222555ef31e578a230a993113
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

785631 - CVE-2011-5245 CVE-2012-0818 RESTEasy: XML eXternal Entity (XXE) flaw
855271 - Collecting support data from all storage nodes through RHSC
863929 - RFE: [RHEVM/RHSC] AddBrick button is currently positioned incorrectly creating confusion
887806 - [RHSC] RFE: Field to display Volume ID
889942 - [RHSC] RFE: Field to display code corresponding to each event in the Events tab


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at