CVE-2012-6137

Name of the Vulnerable Software and Affected Versions Red Hat Enterprise Linux subscription-manager versions 1.0.24.1 through 1.1.23.1 Red Hat Enterprise Linux subscription-manager-debuginfo versions 1.0.24.1 through 1.1.23.1 Red Hat Enterprise Linux subscription-manager-gui versions 1.0.24.1 through 1.1.23.1 Red Hat Enterprise Linux subscription-manager-migration versions 1.0.24.1 through 1.1.23.1 Red Hat Enterprise Linux subscription-manager-firstboot versions 1.0.24.1 through 1.1.23.1

Description The issue is related to the rhn-migrate-classic-to-rhsm tool in Red Hat subscription-manager, which does not verify the Red Hat Network Classic server's X.509 certificate when migrating to a Certificate-based Red Hat Network. This allows remote man-in-the-middle attackers to obtain sensitive information, such as user credentials. The exploitation of this issue can be done remotely and may lead to the disruption of protected information integrity.

Recommendations For Red Hat Enterprise Linux subscription-manager versions 1.0.24.1 through 1.1.23.1, update the subscription-manager package to a version that includes the fix for this issue. For Red Hat Enterprise Linux subscription-manager-debuginfo versions 1.0.24.1 through 1.1.23.1, update the subscription-manager-debuginfo package to a version that includes the fix for this issue. For Red Hat Enterprise Linux subscription-manager-gui versions 1.0.24.1 through 1.1.23.1, update the subscription-manager-gui package to a version that includes the fix for this issue. For Red Hat Enterprise Linux subscription-manager-migration versions 1.0.24.1 through 1.1.23.1, update the subscription-manager-migration package to a version that includes the fix for this issue. For Red Hat Enterprise Linux subscription-manager-firstboot versions 1.0.24.1 through 1.1.23.1, update the subscription-manager-firstboot package to a version that includes the fix for this issue. As a temporary workaround, consider disabling the rhn-migrate-classic-to-rhsm tool until a patch is available.