-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: CFME 5.7.1 bug fixes and enhancement update
Advisory ID:       RHSA-2017:0320-01
Product:           Red Hat CloudForms
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2017-0320.html
Issue date:        2017-02-27
Cross references:  RHBA-2016:24540
CVE Names:         CVE-2017-2632 
=====================================================================

1. Summary:

Updated cfme packages that fix bugs and add various enhancements
are now available for Red Hat CloudForms 4.2.

2. Relevant releases/architectures:

CloudForms Management Engine 5.7 - x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

This update fixes various bugs and adds several enhancements. Documentation
for these changes is available in the Release Notes linked to in the
References section.

Security Fix(es):

* A logic error in valid_role() in CloudForms role validation could allow a
tenant administrator to create groups with a higher privilege level than
the tenant administrator should have. This would allow an attacker with
tenant administration access to elevate privileges. (CVE-2017-2632)

This issue was discovered by MatouA! MojA3/4AA! (Red Hat).

All CFME users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1382768 - My Filters in datastores are not shown
1390729 - [Azure] - No LB icon/button in Network topology
1390731 - clicking on Unassigned Profiles Group from satellite provider
1391748 - [ja_JP] Translations are missing in 'Compute'-'Infrastructure' menu and its sub menu pages
1391750 - [ja_JP] Translation issues observed on cloud intelligence->Reports->reports page.
1391757 - [ALL LANG] Not fully localized on Clouds -> Providers page.
1394331 - Compare,Drift views missing in VM and drift comparison pages
1394339 - Missing "Items per Page" in Paginator with 5:4 or 4:3 screen ratio resolution
1394341 - Updating the default GTL view settings does not work for cloud key pair page
1394844 - Unexpected error when clicked on edit cloud provider after deleting cloud provider
1395304 - [RFE] Containers should have "My filters" and advanced search same way as other providers
1395839 - UX: Hovered redhat insights menu item text interferes to its arrow
1395840 - Service dialog editor drop down list Refresh problem
1395857 - OCP nodes showing as "not ready" in topology view but as "Ready" in Container Node view
1395898 - UI: 'Lifecycle' button is still alive, when no providers
1396222 - Middleware - Missing Alt on Add Datasource form buttons
1396238 - Middleware Provider - Timelines: JS Error and endless load
1396239 - Middleware - Support of MariaDB Datasource type
1396240 - Orchestration template : Unable to add Vapp Template
1396241 - [beta1] vm console icon not rendering correctly
1396243 - Spinning UI activity overlay stuck/infinite when using advanced search
1396575 - [ALL LANG]  Middleware - Servers - Datasource - C&U screen has untranslated entries
1396576 - Some of the Power Operation strings are not getting extracted in the i18n gettext catalog for SUI
1396577 - when I scroll tables in provisioning dialog, table header is scrolled along with table contents
1396580 - Vmware Storage Profile is not shown in Provisioning Request
1397151 - [RFE] Unknown operating system for AWS instances
1397154 - tooltips for group of events in timelines don't look good
1397157 - date picker control appears under navigation bar in timelines view
1397158 - sometimes event text appears partially beyond the tooltip's bounds
1397159 - timelines control displaying current cursor position on timescale is annoying and unusable
1397248 - pods are named 'container groups' in the policy explorer right cell
1397416 - UI: Hover text is required for Help  "(?)"
1397509 - many vm create/remove/stop/start Azure events are absent in timelines though present in DB
1397532 - [ja_JP] Need to change the strings on storage manager ->Monitoring -> Timelines -> Options  for "Management Events" and "Policy Events"
1397874 - [ALL LANG] Compute-Container-Container nodes has untranslated entries
1399207 - vm.create_snapshot fails for rhev vm with undefined method `create_snapshot'
1399208 - [Multi-tenancy] - RFE - Disable renaming of Tenants created by tenant mapping
1399209 - Text does not appear when hovering over VMs & instances
1399211 - Infrastructure Topology legend buttons inaccuracy
1399214 - Cloud provider list view has bad region value
1399216 - giving access to view the quota of a tenant but not listing still allows a user to list all tenants
1399221 - [RFE] NFS41 storage type not supported for SmartState Analysis
1399669 - "Starting Date" in scheduled report is always next day; cannot be set to another day
1399677 - [RFE] Add settings key to disable console proxy
1399679 - [RFE] Launch an URL returned by an automate button
1400202 - [ALL LANG] Compute - Clouds - Instances - Instances by Provider has missing translations
1400204 - Filter out events from Azure Classic providers
1400212 - [Beta 1] lack of consistency in Custom Logo UI.. Check box and Yes/No Slide
1400303 - SSUI: My Request submenu needs translation when language is selected
1400616 - Power ops showing as available for an Archived vm.
1400704 - Documentation via SSUI opens up in the same SSUI window instead of a new tab/window
1401017 - Cloud Intel->Timelines->Events->Policy timelines(reports) have a really inobvious names
1401018 - VM reconfigure: submit is disabled, when memory new value is set after add disk
1401030 - [Amazon EC2][SDN] - Network provider not refreshed weirdness with tenancy
1401044 - Back, reload and configuration toolbar buttons are misplaced on Pxe page
1401103 - Unable to set retirement date for Stacks
1401935 - Heartbeat failure for workers is not reported as ERROR log line but INFO log line
1401956 - Sort providers table crash
1401957 - Unable to perform any actions on cloud objects from list view when navigated to cloud tenants
1402118 - appliance_console is unable to set time-zone for america/argentina "Failed to apply timezone configuration"
1402138 - [RFE] Default database name when setting up global replication subscriptions
1402139 - Automate Customization: When editing automate button, it doesn't remember previously saved button image and display field values.
1402162 - Subnet form needs to allow ipv4/ipv6 selection during create, and lock ipv4/ipv6 and CIRD during edit
1402524 - UI: Configuration -> Access Control - On User/Group/Role summary screens text is no longer a link
1402526 - Alert profiles assignments have container providers under cloud/infrastructure providers
1402527 - [Networks Topology] - LB Tags not shown in Topology
1402528 - Azure : Instance name restriction should be shown in UI when creating a catalog item for Azure
1402529 - No option to see next page in "services-->requests"
1403011 - C&U Configuration Screen does not display anything
1403019 - Azure instance disks not deleted
1403981 - Create snapshot has memory checkbox, even though VM is Down.
1403983 - After performing an upgrade, no role workers start on new appliances
1404316 - RHEV VM Reconfigure: Hot plug CPU & memory together, pass on CFME, though memory hot plug fail on 256 multiply
1404365 - Order Service drop-down for "App Name" no longer allows for search filter
1404427 - "audit log"  is logged with "new_value" instead of actual data when new user is created.
1404431 - provisioning instance fail: FATAL -- : Error caught: [NoMethodError]  undefined method `[]' for nil:NilClass
1404447 - Empty lists in Chrome
1404454 - VMware Auto Placement issue with insufficient space on Datastore
1404526 - Folder relationship change causing a re-classify of all children VMs
1404669 - Tenant cannot import datastore without datastore being locked
1404746 - Retirement state machine does not handle Ansible Tower services when part of a bundle
1404825 - Unable to trigger a smartstate scan from the clouds Instances view unlike infra vm view
1404827 - [RFE] CloudForms 4.1 unable to add Azure Gov Cloud Provider
1405193 - Unable to specify disk size in IE11 when adding additional disk
1405197 - When exporting reports into PDF only half of the data is displayed
1405200 - Can't create an alert
1405201 - VMs & Templates links point to Host & Clusters in the relationship accordion
1405640 - Subnet CRUD actions do not use task queue
1405641 - Network CRUD actions do not use task queue
1406160 - Floating IP/Security Group actions missing corresponding events
1406161 - Floating IP/Security Group Create Task Queues have reversed method names
1406163 - Unable to delete the subnets for azure,ec2 and gce providers
1406167 - Timelines not displayed on the Configuration->Diagnostics page
1406434 - Default validation for data type is not properly set when adding a new TextBox field
1406798 - event info tooltip appears only for first clicked event in timelines
1408278 - Add Access button group to Cloud Instance and move the HTML5 icon to it
1410516 - Impossible to login in SSUI due to ERROR on SSUI Dashboard
1410535 - Chargeback per time is limited to hourly
1410587 - [ALL LANG] Services - Workloads - Provision has untranslated tab names and labels
1410588 - Floating IP CRUD UI Missing
1410791 - "Selected Day Percent Utilization" graph is absent
1410817 - Remove 'execute method' checkbox from Automation Schedule UI
1410818 - Filter out all the host controllers (except the domain ctrl) when 'counting' how many domains there are
1410819 - Fixed associations for network_port and openstack network_port service models
1410828 - [RFE] Find Azure orchestration stack failure from its operations
1410831 - Wrong label in c3 chart click menu
1410844 - [RFE] Include log output in automation.log
1410845 - Can't remove retirement date
1410846 - We might not be purging all tables that we should be
1410851 - Expose custom_attribute methods to ext_management_system service model
1410927 - Retire Service screens  returns to Request page rather than staying on the My Services page
1411350 - Middleware provider reports the incorrect name of the domain
1411351 - Make container node web console button match vm's
1411353 - some of timelines controls have wrong text style
1411357 - Setting relationship data for generic objects in automate does not work
1411358 - UI : Pinning the service menu shows "Red Hat Insights" menu
1411359 - launch_ansible_job doesn't support multiple Ansible Tower providers in CloudForms
1411362 - URLs might not be generated properly due to string conversion issue
1411364 - [RFE] Support container/infra/cloud provider policies in the UI
1411368 - Tag Visibility - Container builds should honor tag visibility
1411369 - [RFE] CAPABILITY_IAM error after IAM role assignment with amazon cloudFormation template
1411370 - Unexpected Error when attempting to run Compliance of Last Known Configuration
1411372 - [Ansible Tower] - Search bar missing when navigated to Config manager e.g. from Compute
1411373 - Service : Click on stack from service Page shows "Invalid Input"
1411433 - Cloud Instances List View Table missing cells/improper rendering
1411459 - Display parent tenant only when it is allowed by RBAC
1411461 - TimeLine accordion broken on Storage Managers summary page
1411463 - [Beta 1] OpenStack Cloud Topology View: Icons are different in the selection and the main body for Availability Zones:
1411466 - Allow adding custom attributes with sections
1411471 - [Beta 1] When graph is close to border, menu is not visible
1411473 - Expose miq_groups to Automate
1411478 - Metrics Collector Workers memory threshold displayed as 200MiB in the Web UI, however they exit at 500MiB threshold
1411507 - [RFE] better traceback for Ansible Tower API errors
1411509 - Can't save retirement date without notification
1411511 - Notifications - subject may not have tenant.
1411514 - "Show detailed events" checkbox of Timelines view removes main events from the timelines
1411516 - [negative] Deleting subnet connected to instance raise 'Unexpected error encountered '
1411517 - can't add cloud provider with the same name again
1411518 - Service catalog Item entry point dialog text is overcomplicated
1411519 - [RFE] Security Groups missing CRUD UI
1411791 - VM details cluster field vanish, after update VM to another cluster.
1411793 - Typo on Middleware JMS Topic chart(Messages) and legends are in mix of plural or singular form
1411797 - Throws an Unexpected error while comparing clusters
1411878 - appliance_console crash when running Logfile Configuration without setting up database first
1411880 - VM's owner can't access VMs if "Username" field contains uppercase letters
1411881 - policy events  appear w/o information which entity those belong to in Timelines
1411882 - undefined method `[]' for nil:NilClass [dashboard/tl_generate] while accessing Cloud Intelligence->Timelines page
1411885 - Incorrect zoom out icon on C&U graphs
1411941 - [RFE] Chargebacks for SCVMM
1411973 - In the tree view subcategories should not be opened, because there is so big list then
1411975 - Missing flash message after Middleware "Add Datasource" operation and wizard not reset
1411982 - UI: Add new Cloud Volume must be disabled when there is no cloud provider present.
1412206 - Selecting a Group Causes UI to Spin Indefinitely
1412221 - Discrepancy in costs reported between daily  and monthly Chargeback reports
1412279 - Database replication is failing for LVDC
1412280 - Manipulation of custom_custom attributes on provider class Provider fails
1412283 - Chargeback rates should also be available for "daily"
1412284 - VM console button superfluously warns it may fail
1412285 - $websocket_log level is not configurable
1412286 - 'Show Full screen report' option missing in Configuration button on Saved Reports page
1412287 - Relax email validation constraints
1412288 - Generate notification for VM Provisioning error in automate
1412289 - Generate notification for Service Provisioning error in automate
1412290 - Attach/detach for Cloud Volume fails with "unknown method get_checked_volume_id" error
1412291 - Namespace: Name uniqueness validation is not case-insensitive, like other Automate objects.
1412293 - SSUI: Hand pointer on service icon
1412312 - Refresh failed when adding an OSE provider
1412314 - Filters are sometimes saved with different name
1412315 - When saving filter sometimes errs Name has been taken even when there was no filter with same name
1412316 - Saving filter errs Search Name is required even when value is filled in
1412383 - [RFE] Add performance based reports for OSE/OCP providers
1412396 - Host Summary for VMs report failing
1412682 - Issue with fog-openstack 'update_quota.rb'
1412738 - Use proper name of column in tooltip in charts
1412740 - Add validation message for chart with values
1412825 - [RFE] google provider connection using http_proxy configured in CloudForms
1413086 - Incorrect tooltip message displayed on region diagnostics configuration button
1413103 - Service dialogs items(tabs/boxes/elements) can be saved even when it doesn't fulfill requirements
1413113 - Error in my settings after timeout
1413119 - Removing actions from VM Compliance Check event removes the event from the compliance policy
1413123 - Tenant admin can create a super admin
1413154 - Clarify the "dedicated database instance" prompt in the console
1413167 - Wrong zone set for appliances in global region
1413205 - In Dashboard view for infrastructure, Recent hosts and Recent VMs are not filtered by provider
1413207 - Error in changing the RSA Key of an OpenStack Director provider
1413210 - SSH RSA key validation fails with error for OpenStack Infra Provider
1413212 - [RFE] Routers do not allow you to add/remove interfaces
1413621 - Check compliance of last known configuration crash
1413677 - Network Router provisioning must call and use raw create method
1413695 - [beta1] Openstack attach volume should only list available volumes in the drop down
1413769 - The counter ae_state_retries is not incremented if $evm.root['ae_result'] = 'retry' is set in a state machine on_exit method
1414012 - Provider under catalog item visible for a user who don't to have a permission for viewing a provider
1414013 - [RFE] - Expose mechanism in AUTOMATE allowing coder to indicate that the automate retry should be targeted to the same machine initiating the retry
1414014 - A tag control element in a dialog called from a button is not passed to the button method
1414015 - "abandon changes" dialog appears on attempt to open another location via menu from timelines page
1414550 - "Delete" was removed from Power Action in VM Details Menu
1414583 - SSUI lets you save a retirement date from the past
1414848 - The chargeback report gives wrong information
1414870 - Created filters in Virtual Machines are not displayed in the tree until the page is refreshed
1414872 - Adding filter in Datastore Clusters results in missing tree view
1414876 - Created filters in datastores are not displayed until the page is refreshed
1414882 - podfying cfme: please add "less" command to initial application deployment
1414884 - net-tools RPM not available on CFME containers (podified or monolithic)
1414885 - OpenStack VM Console returns with an argument error
1414886 - Central Admin - Impossible to distinguish Customize Templates
1414887 - Suspending role in diagnostics Error caught: [ActiveRecord::RecordNotFound] Couldn't find MiqServer with 'id'=0
1414888 - No flash message when importing custom report
1414889 - Broken string in Title
1414891 - Containers SmartState analysis not working for images from unknown image registry,
1415217 - Tenant admin can create groups for other tenants
1415247 - Target refresh of VM does not update host
1415248 - Missing memory unit on Cluster Utilization graphs on provider dashboard view
1415332 - A critical section read of the worker's heartbeat information was not protected with a mutex
1415333 - Ec2 events are not associated to vms
1415754 - SSUI: Unable to save a blank retirement date to remove previously saved retirement date
1415755 - podfying cfme: clean-up evm.log in the cfme pod
1415756 - [Azure LB] - broken table in List view
1416001 - [FloatDomainError]: Infinity Method in Chargebacks for SCVMM
1416077 - Live migration to different cluster doesn't work for RHV
1416093 - Same value gets repeated multiple times on Y-axis of C&U graphs
1416821 - VHD image for AWS mounts database drive as /mnt
1416826 - VMware EMS Refresh fails with "block (2 levels) in getMoPropMulti' error
1417197 - New fields (e.g. tags, custom attributes) do not appear in Report Editor
1417974 - refresh of OCP 3.2 crashes with permission error in recovery
1418400 - Impossible to assign an alert profile
1418749 - authentication_key exposure missing from EMS service model in 4.2GA
1418846 - Discrepancy in resource usage reported between daily, weekly, monthly Chargeback reports
1419186 - [Regression]Error generating Chargeback reports
1419680 - Container Provider: Image Registries are not collected from Images originating from Openshift
1419738 - SSUI: Clicking on the 'Total Requests' link on SSUI Dashboard doesn't take you to the Requests page
1420555 - Service dialog dropdown differs from what is processed by service request
1420888 - [RHV] VM provision->Environment-> host list decreases, after 1 or more Vm provision
1420916 - Refresh of infrastructure provider fails with bad request with OSP director as provider
1420917 - Refresh of OSP10 OpenStack/Director undercloud failing
1422178 - Adding disk to a VM in RHV provider, via VM reconfigure, does not activate it
1422241 - Utilization data for OSP cloud instances does not show up
1423031 - VMware : Failure in snapshot revert
1423033 - Timeline's minus button is corrupted in IE11
1424260 - BootstrapTreeview loses the focus after creating or deleting Container Policies
1424275 - UI: "Check Box" label is not aligned properly.
1424977 - CVE-2017-2632 cfme: tenant administrator can create a group with higher permissions

6. Package List:

CloudForms Management Engine 5.7:

Source:
cfme-5.7.1.3-1.el7cf.src.rpm
cfme-appliance-5.7.1.3-1.el7cf.src.rpm
cfme-gemset-5.7.1.3-1.el7cf.src.rpm

x86_64:
cfme-5.7.1.3-1.el7cf.x86_64.rpm
cfme-appliance-5.7.1.3-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.7.1.3-1.el7cf.x86_64.rpm
cfme-debuginfo-5.7.1.3-1.el7cf.x86_64.rpm
cfme-gemset-5.7.1.3-1.el7cf.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-2632
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYtVPNXlSAg2UNWIIRAsC1AJ4qOzb02NT6K1ppidwPPVEzcAb1FwCfeAHs
BxnwwMOjeC6xMMIWq0uFB0E=
=1k/n
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce