what you don't know can hurt you

Red Hat Security Advisory 2017-0898-01

Red Hat Security Advisory 2017-0898-01
Posted Apr 12, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-0898-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Security Fix: A number of unused delete routes are present in CloudForms which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute.

tags | advisory, web, xss, ruby
systems | linux, redhat
advisories | CVE-2017-2653
MD5 | 45af748afc5d4df8b78db2ab572c2521

Red Hat Security Advisory 2017-0898-01

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: cfme, cfme-appliance, and cfme-gemset security, bug fix, and enhancement update
Advisory ID: RHSA-2017:0898-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2017:0898
Issue date: 2017-04-12
Cross references: RHSA-2017:0320
CVE Names: CVE-2017-2653
=====================================================================

1. Summary:

An update for cfme, cfme-appliance, and cfme-gemset is now available for
CloudForms Management Engine 5.7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.7 - x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* A number of unused delete routes are present in CloudForms which can be
accessed via GET requests instead of just POST requests. This could allow
an attacker to bypass the protect_from_forgery XSRF protection causing the
routes to be used. This attack would require additional cross-site
scripting or similar attacks in order to execute. (CVE-2017-2653)

Additional Changes:

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Technical Notes
document linked to in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1386342 - [RFE] it's impossible to Provision VMs if VMs view is opened through Providers or Clusters,etc. views
1393438 - Advanced search not displayed in Config mgmt
1395722 - [Config management] - Advanced search not functional
1395866 - New provider input field lengths are inconsistent
1396237 - Middleware - Datasource deletion - More informative message.
1396579 - UI: Task status icons are not aligned properly
1402995 - do not render service start/stop buttons (and status field?) if start and stop actions are missing
1411477 - Heat Template provisioning does not honor Tagging filtering
1414003 - RFE - Azure Orchestration Service Retirement does not delete VMs
1416819 - AWS Region ca-central-1 missing from Cloud Provider configuration
1416827 - In datastore clusters selecting storage cluster does nothing
1416836 - Unexpected error encountered while Viewing Full screen report
1416894 - Duplicate folder names between host & vm/templates causes placement issues
1417757 - CF fails to provider discover RHV4.0
1417762 - Impossible to open a condition from a condition list
1417763 - Snapshot link in vm summary page becomes inactive on deleting a snapshot and viewing its history
1417779 - Clicking on the Policy Event link doesn't take you to the event page
1418066 - ActionController::RoutingError (No route matches [GET] "/client/assets/images/cockpit.png")
1418221 - "ExtManagementSystem" string in Provider policies
1418815 - Wrong provider condition title in the tree
1419603 - Getting undefined method with_interval_and_time_range errors in evm.log
1419694 - Catalog Item Long Descriptions allow the user to override UI styling
1420284 - [CFME] db:migrate warning 'supports_feature_mixin.rb:103: warning: key :terminate is duplicated and overwritten on line 111'
1420442 - Unable to provision VMs to a VLAN with a '/' in the name
1420467 - Containers Topology - second search not working
1421154 - check_provisioned Check orchestration deployed doesn't properly handle rollback_complete
1421158 - control policy events aren't generated for azure instances
1421161 - network manager timelines 404 found
1422647 - Customer concered about memory and elapsed time to generate custom report in global reporting region
1422648 - Impossible to access Cockpit administration tool from Self-Service UI
1422649 - Appliance fails to terminate (ie, kill) worker processes that fail to respond to requested termination.
1422650 - Services with nil service_template will fail while looking up atomic? or composite?
1422651 - UI: Service catalog ordering - spinner disappearing too soon, not in sync with page load
1422652 - Inconsistent alt-text for advanced search buttons
1422653 - Update set_security_group method to accept an array of MIQ objects
1422654 - Node lifecycle: ability to set node manageable from provisioning state enroll
1422975 - Missing links to nested Resource Pools in Resource Pool summary screen
1423032 - Stack template page needs to change the font color
1423470 - Running any rake task gives a warning message before runnning
1424255 - SPICE connections to RHV fill up log with error message
1425492 - Chargeback for Container Images - Default Container Image Rate is editable
1425494 - cannot remove user belonging to group EvmGroup-super_administrator via tree
1425873 - MiqUiWorker fails to start
1426433 - Cannot generate VM base report
1426628 - [Regression]C&U graphs don't get grouped by tags
1426638 - Security groups reflected twice on Cloud tenant page
1426683 - Unable to compute performance rollups for OpenShift
1427168 - unable to bring VM out of retirement from details page
1427169 - Provide CFME/RHV build in qcow format, further to image uploader tool drop for RHV-4.1
1427172 - trying to log in with user admin after timeout on different user will get the UI stuck on login + error on wrong credentials will show in log
1427298 - vCenter DVS network selection after upgrade to CloudForms 4.2 fails
1427299 - Missing form buttons on Catalog Items - Add new Button Group and Buttons
1427321 - "My Company Tags" not loading after login for creating new group
1427520 - User access filtering using tags for clouds networks and floating ip| isnt' working as expected.
1427522 - Cancel edit cloud subnet throw undefined method `empty?' for nil:NilClass
1428079 - Can not display instances on one tenant within OSP in CloudForms
1428122 - Creating or copying a report drops browser session and returns to sign in screen
1428124 - RuntimeError Multiple parents found / in generate_one_content_for_group
1428130 - [RFE] OpenShift Projects report Pods: Deleted On attribute empty
1428131 - limit list of user's roles to for creating a group
1428508 - When invoking a start or stop action on a instance via API, it does not reflected in CloudForms 4 UI however it performed desired action on cloud side.
1428509 - Missing "Reset" option for SCVMM VM from Details
1428512 - all volumes in systems are shown under a pod summary
1428579 - Cannot approve an automation request in a 'Pending Approval' state
1428895 - When filtering datastores the title is "the datastore datastores" which makes no sense
1428897 - Custom Attributes in WebUI Change Order as Created / Updated - Not sorted
1428899 - Copy Chargeback report will not add unless a parameter is changed first
1428900 - [RFE] Container Chargeback - get rate assignment from enterprise
1428903 - disable local login does not work when cfme external auth is configured for IPA
1428904 - Middleware Topology - broken icon for Servers
1429648 - An exception in a worker's sync_workers can cause the server process to exit with fatal error
1429650 - External authentication works when logging into the Admin UI but doesn't work for the same user to get into the Service UI
1429652 - The email validation is no longer accepting upper case characters in the users email address.
1429999 - CHRONYD getting stopped/failed in CFME-4.2 Appliances after 5-10 minutes
1430088 - Network I/O Metrics empty in RHEV
1430089 - Service view VM buttons all click through to first VM
1430439 - Ordering of Saved Chargeback reports needs to be reversed
1430542 - [RFE] Service Dialog drop-down field should support multi-select option
1430835 - CSRF tokens are erroneously being checked for external authentication
1430838 - Services > Catalog Items - services in the tree don't match right side
1430937 - Service Dialog does not save default value <None> for drop down or radio button
1431154 - No flash message after addition of a new policy is cancelled
1431162 - Service Dialog - Element visibility on condition is not working in Self-Service portal
1431163 - [SDN] - Security groups/Floating IPs not displayed in Network Topology View
1431164 - The cleanup process is never started because of bugs in the code
1431165 - "FATAL -- : ActionController::RoutingError (No route matches [POST] "/vm_infra/console/198")" found in production.log file while accessing vm console with MKS plugin
1431166 - Wrong selection of parent for VM in a tree
1431168 - Dashbord and Report information not filtered by Tenancy
1431620 - [Scale][RHV] Inventory refresh fail on timeout, after ~2 minutes.
1431641 - Issue when Azure VM doesn't include offer in.
1431727 - UI: Add new Subnet must be disabled when there is no cloud provider present.
1431808 - RHEV VM Reconfigure: Hot unplug CPU and Hot add memory request succeed, though it should fail on not-supported
1431842 - Service requests show none with "refresh" buttons instead of selected values
1432093 - Removing all folders from an accordion in Report Menu makes the Reports page display error
1432098 - Chargeback by Image cannot assign Rate for Label with special characters
1432174 - CVE-2017-2653 CloudForms: UI security issue on Openstack actions
1432463 - Web UI inaccessible after changing number of UI Workers
1432467 - [Azure] ManageIQ string in downloaded PDF
1432639 - RBAC Search Errors out on Strings
1432957 - AWS flavor list is out of date.
1432960 - Missing AWS Regions
1432961 - Unable to hot add new thin provisioned disk to VM
1432962 - Host Storage Device retrieves more information than necessary
1433069 - [Multi-tenancy, LDAP] - Images not visible to tenant / Instances not visible to tenant after provisioning
1433089 - Error after expanding Button Group in Catalog Items
1433093 - Mixed up values in Low and High operating ranges for C&U graphs
1433094 - Refresh of OSP10 OpenStack/Director undercloud failing
1433366 - Editing an already created schedule for "Container Image compliance" doesn't populate all the existing schedule settings
1433435 - Policy to exclude a VM from analysis shows as false but scanning is still happening
1433486 - Corrected loading record id by selected node
1433500 - Duplicate ContainerImage records with same digest
1433962 - Control Explorer is displayed despite role has restricted access to it
1433974 - Persistent Volumes list grow exponentially upon refresh.
1433976 - List items on Policy profiles page are not clickable
1433979 - Reports fail when selecting a Custom Attribute containing one or more dots
1433980 - VM extend retirement fails
1433981 - Charge back reports are not showing the data
1434012 - Clipped Chart Controls on Dashboard
1434096 - All Endpoints' [Validate] buttons disabled/enabled according to main endpoint fields
1434150 - [Scale] MiqWidget.generate_content at large scale consumes tremendous amount of memory and times - out
1434151 - Services: My Services tree does not show services that are marked as display false.
1434157 - Automate Simulation: The simulation form behaves weird after certain steps
1434158 - Stack trace when running fix_auth
1434160 - Impossible to distinguish Labels and entity attributes in OpenShift Chargeback Reports
1434172 - Azure Cloud provider fail to refresh
1434411 - Undefined Method Error virtual_custom_attribute_name for Chargeback Report OpenShift
1434428 - No payload sent to rhevm4.0 from cfme-5.7.0
1434549 - [RFE] Routers do not allow you to set/clear external network gateway
1435278 - Metrics collections consistently fail when where last collection date/time is weeks to months prior
1436223 - Unable to order service
1436340 - [RFE] Replace Ceilometer event with Panko
1436854 - miq worker in aborted status
1437560 - [RHOS] - changing ownership of image returns error
1438450 - Unable to open Details(Summary) of archived Instance
1438888 - [RFE]: Containers should be added to Service Model
1439308 - Excessive log lines for "Initializing DRb Connection to MiqServer with ID"
1440405 - subselection in access control role, not bubble up in tree display
1440408 - excon gem defaults generate error connecting to OSP

6. Package List:

CloudForms Management Engine 5.7:

Source:
cfme-5.7.2.1-1.el7cf.src.rpm
cfme-appliance-5.7.2.1-1.el7cf.src.rpm
cfme-gemset-5.7.2.1-1.el7cf.src.rpm

x86_64:
cfme-5.7.2.1-1.el7cf.x86_64.rpm
cfme-appliance-5.7.2.1-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.7.2.1-1.el7cf.x86_64.rpm
cfme-debuginfo-5.7.2.1-1.el7cf.x86_64.rpm
cfme-gemset-5.7.2.1-1.el7cf.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-2653
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFY7k8mXlSAg2UNWIIRAhrtAKCLCyWmhin6azU7KxUiNu3tS98tuQCdGv+Y
zqroKok8+NibjKMFSYBFNIo=
=Clsk
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    10 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close