RHSA-2015:0158: Important: Red Hat Enterprise Virtualization Manager 3.5.0

Red Hat Enterprise Virtualization Manager is a visual tool for centrallymanaging collections of virtual servers running Red Hat Enterprise Linuxand Microsoft Windows. This package also includes the Red Hat EnterpriseVirtualization Manager API, a set of scriptable commands that giveadministrators the ability to perform queries and operations on Red HatEnterprise Virtualization Manager.The Manager is a JBoss Application Server application that provides severalinterfaces through which the virtual environment can be accessed andinteracted with, including an Administration Portal, a User Portal, and aRepresentational State Transfer (REST) Application Programming Interface(API).It was discovered that the HttpClient incorrectly extracted the host namefrom an X.509 certificate subject's Common Name (CN) field.A man-in-the-middle attacker could use this flaw to spoof an SSL serverusing a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577)A Cross-Site Request Forgery (CSRF) flaw was found in the oVirt REST API.A remote attacker could provide a specially crafted web page that, whenvisited by a user with a valid REST API session, would allow the attackerto trigger calls to the oVirt REST API. (CVE-2014-0151)It was found that the oVirt web admin interface did not include theHttpOnly flag when setting session IDs with the Set-Cookie header.This flaw could make it is easier for a remote attacker to hijack an oVirtweb admin session by leveraging a cross-site scripting (XSS) vulnerability.(CVE-2014-0154)The CVE-2012-6153 issue was discovered by Florian Weimer of Red HatProduct Security.These updated Red Hat Enterprise Virtualization Manager packages alsoinclude numerous bug fixes and various enhancements. Space precludesdocumenting all of these changes in this advisory. Users are directed tothe Red Hat Enterprise Virtualization 3.5 Manager Release Notes document,linked to in the References, for information on the most significant ofthese changes.All Red Hat Enterprise Virtualization Manager users are advised to upgradeto these updated packages, which resolve these issues and add theseenhancements.