A flaw was discovered in Cumin where it would log broker authentication credentials to the Cumin log file. A vulnerability was reported in Red Hat Enterprise MRG Grid. A local user can access the broker password.
Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 5)
Red Hat Enterprise MRG Grid 2.0 security, bug fix and enhancement update.
A local user exploiting this flaw could connect to the broker outside of Cumin's control and perform certain operations such as scheduling jobs, setting attributes on jobs, as well as holding, releasing or removing jobs. The user could also use this to, depending on the defined ACLs of the broker, manipulate message queues and other privileged operations.
Cumin writes broker authentication credentials to the Cumin log file. A local user can access the file to obtain the broker username and password.
A local user can access the broker username and password. This can be exploited to connect to the broker to schedule jobs, set attributes on jobs, hold, release, or remove jobs, manipulate message queues, and perform other privileged operations.
Updated packages for Red Hat Enterprise Linux 5 provide numerous bug fixes and enhancements for the Grid component of MRG. Some of the most important enhancements include:
* Expanded support of EC2 features, including EBS and VPC.
* Improved negotiation performance.
* Reduced shadow memory usage.
* Integrated configuration and management experience, including real-time monitoring, diagnostics, and configuration templates.
Technical Notes for Red Hat Enterprise MRG