CVE-2019-3845

Name of the Vulnerable Software and Affected Versions Red Hat Satellite versions prior to 6.2 Red Hat Satellite 6.1 optional Red Hat Satellite Capsule 6.1

Description A lack of access control was found in the message queues maintained by Satellite's QPID broker, which can be exploited by a malicious user authenticated to a host registered to Satellite or Capsule. This flaw allows access to QMF methods on any host registered to Satellite or Capsule, enabling the execution of privileged commands.

Recommendations For Red Hat Satellite versions prior to 6.2, update to version 6.2 or later to resolve the issue. For Red Hat Satellite 6.1 optional, consider applying additional access controls to the QPID broker until an update to a fixed version is available. For Red Hat Satellite Capsule 6.1, restrict access to QMF methods until a patch or update is applied. As a temporary workaround, consider disabling access to the QPID broker's message queues for untrusted hosts until a fix is available.