what you don't know can hurt you

Red Hat Security Advisory 2018-3466-01

Red Hat Security Advisory 2018-3466-01
Posted Nov 5, 2018
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2018-3466-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Issues addressed include a code execution vulnerability.

tags | advisory, web, code execution, ruby
systems | linux, redhat
advisories | CVE-2018-1000544
MD5 | c8fd9daeba7ca15104e6c47fe5878c20

Red Hat Security Advisory 2018-3466-01

Change Mirror Download
Hash: SHA256

Red Hat Security Advisory

Synopsis: Moderate: CloudForms 4.6.5 security, bug fix and enhancement update
Advisory ID: RHSA-2018:3466-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2018:3466
Issue date: 2018-11-05
Cross references: RHSA-2018:2561
CVE Names: CVE-2018-1000544

1. Summary:

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.9 - x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* rubyzip: arbitrary file write vulnerability / arbitrary code execution
using a specially crafted zip file (CVE-2018-1000544)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:


5. Bugs fixed (https://bugzilla.redhat.com/):

1592571 - Service Dialog Editor localization in French Incomplete
1593001 - CVE-2018-1000544 rubyzip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file
1599349 - API with an invalid zone name kill the appliance
1603026 - Vim Performance States Table Causing Region to Lock up During a Vacuum
1607409 - The remote_ws_url value does not failover if the appliance is stopped, so "api_url" can be incorrect in an Ansible playbook
1607438 - Alerts do not trigger and do not send email notification
1608368 - Ansible Jobs Causing State Machine to Fail due to Inactivity Threshold Exceeding 0
1608770 - custom buttom page empty
1612905 - internal server error when cloud_tenants or flavors subcollection is requested on infra provider
1613333 - Couldn't find EmsFolder with 'id'
1613420 - OpenStack deletion gives problem
1615465 - Using database wildcard `%25` in VM queries causes exception, returns 500 to client
1618800 - Open URL Does Not Work When Using a DIalog with a Button
1618805 - CloudForms tries to collect metrics from OCP despite not being configured for it
1618807 - [RFE] Restore VM ownership and retirement during migration
1618808 - Migrations linking jobs and miq_tasks could take long time when upgrading to 5.9
1619431 - [v2v] Network Missing in Infra Mapping
1619654 - [v2v] Schedule Unschedule Migration does not seem to work correctly
1621441 - Change VMware URI to connect directly to ESXi
1621445 - Default Dashboard can't be updated
1621449 - Fix displaying disk type of a VM created from template and passing clone parameter to RHV
1622631 - reports using "group by" on date show a total column per vm instead of showing a total at the end of the report
1622652 - Service Retirement runs twice for direct service children
1623557 - virt-v2v Fails with IMS when Using AD Credentials for VMware Provider
1623559 - [RFE] Add state_machine_phase attribute to transformation state machines
1623560 - Dynamic Text Area and Text Box Elements Load Even Though Load on Init is not Marked
1623561 - displaying -Child Orchestration Stacks- throwing UI error
1623563 - unable to generate chargeback based on metering for vms with traceback in logs
1623565 - Add log messages to Chargeback
1623573 - unable to add disk to vm via rest-api vm reconfiguration on vmware [request backport from existing commit]
1623582 - Change in chargeback report logging output
1625249 - Read Action Forbidden When User Tries to Attach Cloud Volume OpenStack
1625323 - UI breaks when viewing instance details.
1625376 - Wrong timezone when selecting retirement time
1626143 - Storage Domain ignored on provisioning
1626219 - nuage refresh fails - undefined method `[]' ... security_groups
1626474 - Handle service retirement date in service dialog
1628348 - Update to Azure Government endpoint
1628657 - Unable to retry Embedded Ansible method in a state machine
1629089 - [RFE] Add more RAM options size to life cycle dialog
1629090 - [SSUI] Able to create snapshot with memory on powered down VM
1629094 - Make the checkbox column in the column view not click-able
1629121 - When a button is for 'single and list' or 'list' and has a visibility expression, the button does not display in the list view even when all VMs in the list meet the expression
1629124 - giving volume name shouldn't be mandatory in case of Openstack instance provisioning
1629125 - OSP domain user seen objects from other domain tenants
1629126 - [RFE] Add support to oVirt provider to set VM memory and CPU
1629127 - UI Monitor Alerts page is slow to load and when clicking on link it shows blank page with no alerts
1629129 - Cannot add Ansible Tower or refresh already added Ansible Tower
1629897 - Memory threshold set from Workers tab doesn't work
1630938 - Refactor restoring VM attributes during migration
1631557 - Unable to provision VM with "choose automatic option"
1631817 - Not able to access Openstack instance console from selfservice portal
1632769 - Triggered Refresh Still Occurs for Dialog After Changing Type to Static
1634032 - To be able to add and create reports, the edit report role is needed.
1634808 - Password hashes in Automate Log
1635038 - VMware vCloud Provider's vApp Provisioning Dialog Cannot be Submitted
1635764 - Power management via API falling into the wrong zone leading to permanently queued requests
1637035 - Add transformation utils methods
1637185 - [RHV] ISO provisioning fails with undefined SDK method
1637720 - Unable to see chargeback rate under rates accordion
1638684 - VMware vCloud Provider's vApp Service Cannot be Fully Retired
1639300 - Unable to perform chargeback assignments for compute
1639413 - When ordering a service via the API the service dialog is not executed
1639877 - Can't change Server's Zone
1641670 - [regression][Custom Button] Unexpected error encountered in infrastructure and datastore object type when method and dialog both attached
1641810 - undefined method `find_tagged_with' for #<Class:0x000000000b5e3228> [miq_request/show_list]

6. Package List:

CloudForms Management Engine 5.9:



These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    7 Files
  • 11
    Jul 11th
    4 Files
  • 12
    Jul 12th
    4 Files
  • 13
    Jul 13th
    14 Files
  • 14
    Jul 14th
    17 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By