what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2017-3484-01

Red Hat Security Advisory 2017-3484-01
Posted Dec 18, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3484-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. CloudForms Management Engine Appliance. CloudForms Management Engine Gemset. Multiple security issues have been addressed.

tags | advisory, web, ruby
systems | linux, redhat
advisories | CVE-2017-2664
SHA-256 | 4a3692d773dfdb3a0baf0904f7370f30464bfe25a4d3d753f236f35e7b82503a

Red Hat Security Advisory 2017-3484-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat CloudForms security, bug fix, and enhancement update
Advisory ID: RHSA-2017:3484-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2017:3484
Issue date: 2017-12-18
Cross references: RHSA-2017:1601
CVE Names: CVE-2017-2664
=====================================================================

1. Summary:

An update for cfme, cfme-appliance, and cfme-gemset is now available for
CloudForms Management Engine 5.7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.7 - x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

CloudForms Management Engine Appliance.

CloudForms Management Engine Gemset.

Security Fix(es):

* CloudForms lacks RBAC controls on certain methods in the rails
application portion of CloudForms. An attacker with access could use a
variety of methods within the rails applications portion of CloudForms to
escalate privileges. (CVE-2017-2664)

This issue was discovered by Libor Pichler (Red Hat) and Martin Povolny
(Red Hat).

Additional Changes:

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes
document linked to in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1344690 - ActionController::RoutingError in automation simulation tree
1401560 - Missing buttons Graph view, Hybrid view, Table view and missing option Show full screen report
1424267 - selection doesn't move along with added/copied Condition in Control->Explorer->Policies treeview
1429962 - UI: VM "Edit Management Engine Relationship", 'Save' problem mal functionning
1435393 - CVE-2017-2664 CloudForms: lack of RBAC on various methods in web UI
1440105 - UI: Tasks are using an old icons for Task State.
1449404 - IE 11 on windows 7: On topology page entity icons are not displaying properly
1451831 - [Ansible Tower] - Ansible Tower Jobs - relationships table - undefined method when clicking on Service
1457979 - After killing reporting worker, report status still says Running
1458287 - Incorrect padding in Actions and Conditions selection screens
1460149 - [Ansible Tower] - Unexpected error when clicking on successful job
1460656 - WebUI:Tag Visibility - Ansible Tower Job Templates should honor tag visiblity
1460696 - HTML in node names of Control/Simulation tree
1460938 - Unexpected error encountered while clicking on "Download PDF" button on Switch page
1462104 - [Amazon EC2] - ManageIQ string in PDF filename of Network provider and in PDF title
1462146 - Access Web Console Cockpit not compatible with Windows VMs
1463265 - Missing id attribute on Cloud->Instance Edit form, Child VM MultiBoxSelect
1465077 - CFME collects C&U metrics even before resource creation
1465079 - report vm and instances field 'Provision.Request : Approved By' does not apply any styling
1465080 - The IP version (network protocol) is not displayed when editing cloud subnets
1465081 - Formatting of Provider summary PDF file generated from provider summary page is very broken
1465082 - [SDN][Tags] - Redirection to Network provider summary page page after tag is saved
1465083 - Tag Visibility | Cloud Stack: Tag is not added if stack list opened from provider detail page
1465084 - service now integrations for determining host_name return empty array
1465086 - Hourly metrics_## tables grow filling up the VMDB filesystem when real-time purges fail
1465088 - Service template provisioning request do not honour quotas
1465090 - "Items" keyword in the dropdown list values of Default Items Per Page in my settings
1465091 - [RFE] External Auth - AD - samba-common-tools and deps missing from appliance.
1465093 - The 'Assigned Filters' setting in the Settings->Access Control->Groups->[group name] only applies to 'Hosts & Clusters', and not the Network providers.
1465415 - Service Retirement not working properly for Orchestration Stacks due to missing zone.
1468593 - Check for blank password in database configuration to avoid postgres errors
1468606 - Azure refresh fails if provider has no orchestration stacks
1468612 - prevent two miq servers from starting
1468613 - Remote VNC/SPICE consoles lack logging when the remote endpoint is inaccessible
1468614 - Not able to retire VM/instance via API unless "Set Retirement Date" feature is checked for role
1468633 - websocket connection leaks causing failed connections
1469297 - Unable to select the Azure region UK South
1469703 - performance issue in openstack collection
1471201 - Replace nodejs010 with node from SCL in appliances
1471202 - Unable to save trusted forest Settings
1471204 - Not possible to refresh automate from GIT using API call
1471315 - Tag with Key 'Name' and a nil Value Breaks Refresh for AWS
1472364 - Productized border at top of page should be red not blue
1472381 - Ansible tower job templates filters are not displayed
1472383 - Deleted labels still show up in CFME after provider refresh
1472384 - Some container resources not cleaned up after removal from Openshift - research
1472806 - <Choose> found as option in drop down service dialogs
1473271 - Raise MiqProvisionError if instance is in error state
1475020 - Drop Down List Dialog does not keep default value for Integer type
1475031 - After applying errata 5.7.3.2 some dialog field default values are missing in the self-service portal
1476270 - Validation Credentials fails for OSP 10 Provider with AD "domain" user
1476279 - OpenStack cloud provider refresh error: Flavor <flavor id> could not be found
1476284 - After Applying ERRATA-RHSA-2017:1601 full refreshes are being trigged frequently
1476296 - Unable to perform power control operations on stack instance when navigated through stack summary page
1476395 - OSP: when validating an account with access to many projects, it checks each, and times out
1477195 - AD with external auth, When doing group lookup for user group SID number is displayed instead of Group name
1477617 - Validation failed: Status is not included in the list
1477722 - Unable to provision against vmware with "multiple parents found" error
1477723 - zones of sub region show up as zones appliances of a central region can move to
1477725 - Search field disappears when user clicks view selector after user input dialog on Compute->Infrastructure->All VMs page
1477727 - Refresh failed for VMware Provider in Cloudforms 4.5
1478368 - User unable to tick the check boxes of the folder while assigning the Alert profile
1479377 - Provisioning to MS SCVMM Uses host.name instead of host.hostname
1479410 - incorrect value used in stock automation wait_for_completion
1480630 - prefetch_below_threshold? failure after AWS upgrade
1481743 - UI: "Unexpected error encountered" when Downloading report in text,csv and pdf format
1481859 - Provisions via Users in multiple groups in tenants in SSUI result in VMs being provisioned to wrong group/tenant
1481862 - Azure inventory collection fails with missing instances for west-india region
1481864 - Datasources Download .txt truncates host-name
1481865 - Unable to provision HyperV networking properly
1481867 - Unable to provision against vmware due to "unknown method xsiType"
1481870 - Quota not using cloud volumes in requested resource calculation.
1482151 - Missing Icon of power state - migrating
1482672 - Workers processing a miq_queue message that exceed the memory threshold aren't given enough time to exit gracefully
1484387 - Setting VM ownership on more than 100 VMs at a time causing server error status 400 bad request
1484541 - Custom button not passing target object to dynamic dialog fields
1484549 - [RFE] Add config option to skip container_images
1487280 - Refresh fails: undefined method `[]' for nil:NilClass in `parse_image_name'
1487289 - [RFE] Include EvmRole-reader as read-only role in the fixtures
1487297 - [RFE] The azure image as built cannot be used in azure.
1487307 - Unable to perform any actions on cloud objects from list view when navigated to cloud tenants
1487321 - Unable to access filter tab while Editing chargeback for projects report
1487323 - Save only used OpenShift images with labels/tags
1487686 - Drop down history toolbar button on Import/Export report page is not needed, should be removed.
1487694 - UI elements not loading and reporting widgets not showing data points
1490434 - Clicking x button in search box doesn't remove the search
1491576 - [Regression] Unable to assign actions to a policy
1492158 - Quota management doesn't work according the expected
1492867 - Dashboard shows 2 for "retiring soon" services but clicking on that link shows None
1493700 - HTML5 VNC Remote Console: Remove VNC proxy from the UI
1494189 - vc refreshes are preventing full refreshes
1495971 - setting a dynamic dialog to "required = True" is not saved
1496597 - Setting memory_reserve lower than vm_memory failed
1497522 - Deleted VM is moved to status Orphan, though it should move to Archived.
1497748 - Editing Name of a Category via API breaks Chargeback Assignments
1498095 - Tag/Networks: Cloud Network list is available for restricted user, if Network manager was tagged
1498131 - It allows me to have filter with same name twice when loading global filter
1498232 - [Regression] appliance_console not enabling all required SCAP rules.
1500050 - Cannot add Azure provider to CloudForms 4.2
1500052 - Azure refreshes fail with [NameError]: wrong constant name $default
1500067 - Cloudforms AWS image with Azure provider fails to discover entire environment
1500995 - Unable to initiate VM console in VMware environment with 6.5 VC and ESXi 6.5
1501478 - overwriting reports causes new runs of the report to not show data for some columns
1502739 - Dynamic refresh ignored on Service Dialog elements if clicking submit without clicking out of refresh trigger element first
1505417 - Records with duplicate timestamp in metrics rollup table
1505458 - UI: PDF Download button is missing from the infra provider summary page (it is displayed for cloud providers)
1505468 - Edit tags not working while navigating to instance through provider
1505546 - [EUWE] HTML5 Console Does Not Display From SSUI/OPS UI VMWare
1506626 - compute.instance.exists events
1509420 - Queue workers are frequently querying pg_backend_pid
1517712 - Storage Volume Attach give Unexpected Error
1521043 - Azure NetworkManager refresh failure with "undefined method `source_address_prefix'" error

6. Package List:

CloudForms Management Engine 5.7:

Source:
cfme-5.7.4.2-1.el7cf.src.rpm
cfme-appliance-5.7.4.2-1.el7cf.src.rpm
cfme-gemset-5.7.4.2-1.el7cf.src.rpm
rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.src.rpm

x86_64:
cfme-5.7.4.2-1.el7cf.x86_64.rpm
cfme-appliance-5.7.4.2-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.7.4.2-1.el7cf.x86_64.rpm
cfme-debuginfo-5.7.4.2-1.el7cf.x86_64.rpm
cfme-gemset-5.7.4.2-1.el7cf.x86_64.rpm
rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.x86_64.rpm
rh-ruby23-rubygem-nokogiri-debuginfo-1.8.1-2.el7cf.x86_64.rpm
rh-ruby23-rubygem-nokogiri-doc-1.8.1-2.el7cf.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-2664
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFaOCPCXlSAg2UNWIIRAoCOAJ4hDys8f7j0ds8NqSY+dulIXwI1WQCff+ze
bGKOZPFsz5Gnxv0Rm3WWnrM=
=wTln
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close