Vulnerability Name:

CVE-2011-4083 (CCN-71666)

Assigned:2011-12-06
Published:2011-12-06
Updated:2014-02-19
Summary:The sosreport utility in the Red Hat sos package before 1.7-9 and 2.x before 2.2-17 includes (1) Certificate-based Red Hat Network private entitlement keys and the (2) private key for the entitlement in an archive of debugging information, which might allow remote attackers to obtain sensitive information by reading the archive.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-310
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2011-4083

Source: CCN
Type: RHSA-2011-1536
Low: sos security, bug fix, and enhancement update

Source: REDHAT
Type: Vendor Advisory
RHSA-2011:1536

Source: CCN
Type: RHSA-2012-0153
Low: sos security, bug fix, and enhancement update

Source: REDHAT
Type: Vendor Advisory
RHSA-2012:0153

Source: CCN
Type: BID-50936
Red Hat Enterprise Linux Sos Private Information Disclosure Vulnerability

Source: CCN
Type: Red Hat Bugzilla Bug 749383
CVE-2011-4083 sos: sosreport is gathering certificate-based RHN entitlement private keys

Source: XF
Type: UNKNOWN
rhel-sosreport-info-disc(71666)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:sos:2.2-3:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:sos:2.2-6:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:sos:2.2-7:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:sos:2.2-8:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:sos:2.2-9:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:sos:2.2-10:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:sos:2.2-11:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:sos:2.2-14:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:sos:2.2-15:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:sos:2.2-16:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:redhat:sos:1.6:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:sos:1.7:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:sos:*:*:*:*:*:*:*:* (Version <= 1.7-6)
  • OR cpe:/a:redhat:sos:1.7-8:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

    • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:redhat:enterprise_linux:6:*:server:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:6:*:workstation:*:*:*:*:*
  • AND
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_desktop:6:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_hpc_node:6:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:22918
    P
    		ELSA-2012:0153: sos security, bug fix, and enhancement update (Low)
    2014-07-21
    oval:org.mitre.oval:def:21308
    P
    		RHSA-2012:0153: sos security, bug fix, and enhancement update (Low)
    2014-06-30
    oval:org.mitre.oval:def:23283
    P
    		ELSA-2011:1536: sos security, bug fix, and enhancement update (Low)
    2014-05-26
    oval:org.mitre.oval:def:21889
    P
    		RHSA-2011:1536: sos security, bug fix, and enhancement update (Low)
    2014-02-24
    oval:com.redhat.rhsa:def:20120153
    P
    		RHSA-2012:0153: sos security, bug fix, and enhancement update (Low)
    2012-02-21
    oval:com.redhat.rhsa:def:20111536
    P
    		RHSA-2011:1536: sos security, bug fix, and enhancement update (Low)
    2011-12-06
    BACK
    redhat sos 2.2-3
    redhat sos 2.2-6
    redhat sos 2.2-7
    redhat sos 2.2-8
    redhat sos 2.2-9
    redhat sos 2.2-10
    redhat sos 2.2-11
    redhat sos 2.2-14
    redhat sos 2.2-15
    redhat sos 2.2-16
    redhat sos 1.6
    redhat sos 1.7
    redhat sos *
    redhat sos 1.7-8
    redhat enterprise linux 6
    redhat enterprise linux 6
    redhat enterprise linux 5
    redhat enterprise linux 5
    redhat enterprise linux desktop 6
    redhat enterprise linux hpc node 6