A flaw was found in the way the Satellite 6 server broker and capsule broker handled certificate-based authentication from content hosts. An attacker with privileged access on a content host could authenticate to a server or capsule broker and execute arbitrary commands.
Brian Bouterse of Red Hat reports:
Satellite 6 uses a single CA to generate sign all certs; that CA is trusted by
the Qpid brokers on the server, capsule, dispatch router, httpd, etc. By design,
content hosts only should connect to httpd and the dispatch router. A user with
root access to a content host has access to these certs and could authenticate
to the server broker or the capsule broker.
This issue was discovered by Brian Bouterse of Red Hat.