exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2019-0796-01

Red Hat Security Advisory 2019-0796-01
Posted Apr 23, 2019
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2019-0796-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Issues addressed include database disclosure, denial of service, and traversal vulnerabilities.

tags | advisory, web, denial of service, vulnerability, ruby
systems | linux, redhat
advisories | CVE-2019-5418, CVE-2019-5419
SHA-256 | 7b0abf23eaef6dbaecd5d1d1ec306c91e866820b9b88b17aa29456046bde3439

Red Hat Security Advisory 2019-0796-01

Change Mirror Download
Hash: SHA256

Red Hat Security Advisory

Synopsis: Important: CloudForms 4.7.3 security, bug fix and enhancement update
Advisory ID: RHSA-2019:0796-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2019:0796
Issue date: 2019-04-23
Cross references: RHBA-2019:40153
CVE Names: CVE-2019-5418 CVE-2019-5419
1. Summary:

An update is now available for CloudForms Management Engine 5.10.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.10 - x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* rubygem-actionpack: render file directory traversal in Action View

* rubygem-actionpack: denial of service vulnerability in Action View

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document linked to in the
References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:


If the postgresql service is running, it will be automatically restarted
after installing this update. After installing the updated packages, the
httpd daemon will be restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1678385 - [v2v][OSP][RHV]Migrating over SSH and VDDK transformation method with names containing spaces such as `rhel 7`, fails to migrate
1680959 - The displayed elapsed time in the service is wrong
1686045 - [RFE] Add ability to Download Wrapper Logs from UI
1686902 - Default worker memory settings in the WebUI are incorrect and do not match the actual configured memory settings
1688937 - proxy timeout loading list of services post update
1689159 - CVE-2019-5418 rubygem-actionpack: render file directory traversal in Action View
1689160 - CVE-2019-5419 rubygem-actionpack: denial of service vulnerability in Action View
1693714 - [RFE] Add support for including optional flavor and security group fields in CSV file for OSP migration plans
1693718 - [RFE] TransformationMapping: API for adding mapping item
1693719 - User and group values of a report are not honored when importing the report
1693720 - role with all Product Features checked, throws RbacPrivilegeException
1693721 - C&U: Missing memory utilization graphs for ec2 availability zones
1693722 - Warn when custom attributes contain spaces in their names - they will not work properly in all of reporting
1693727 - Text attachment generation fails for custom report
1693728 - Unable to schedule an NFS or Samba Database Backup in CloudForms 5.10
1693729 - [RFE]UI changes to "Download Logs" list and "Detect Provider Changes"
1693730 - Clicking on Network -> Topology Produces Error 500 Internal Server Error
1693731 - [v2v][RHV][UI] Infrastructure mapping page is broken
1693740 - [VMware] Publish to template and clone VM operations cannot be performed as UI goes blank
1693741 - [V2V] [RFE] Ability to filter VMs from VMware folders
1693743 - [RFE] Vertical menu fixes and other enhancements for v2v UI
1693745 - [RFE] RHV conversion hosts warning depends on CF tags, should use /api/conversion_hosts instead
1693746 - [RFE] Add new throttling option to the UI for "Maximum concurrent migrations per provider"
1693747 - [RFE]v2v - Enhanced Error Reporting in UI from virt-v2v logs
1693748 - Appliance console shows incorrect region id
1693749 - Cannot access child services from the My Services summary screens
1693757 - [RFE] possibility to hide Red Hat CloudForms Engine text in top left Corner of OPs and SUI
1693817 - Errors when submitting VM action from global region
1694190 - [v2v][OSP] Migration stuck in refresh inventory state when we migrate via SSH transformation method
1694798 - [RFE] Provide detailed info regarding why clusters/datastores/networks are missing
1695626 - Remove the deprecated "Discover Cloud Providers" option from CloudForms UI
1695627 - Retiring an embedded Ansible service always retires the service resources
1695628 - [RFE] Metrics for memory usage of AWS instances needs to be collected from CloudWatch new Agent
1695629 - Deleting a disk from a VM in RHV fails in CFME
1695631 - [RFE] Unable to Utilize Tenancy With Central Admin
1695897 - State machine for Vm Retirement is using the old values
1696362 - Different syntax by Service Request in Master region
1696419 - [v2v] Edit Migration plan shows VM status incorrect
1696421 - [v2v] : Migration shows blank page if provider is removed from CFME
1696422 - [RFE]UI change: Migration Plans screen breadcrumbs
1696456 - v2v job polling interval and timeout values updated
1696841 - CloudForms allow user to submit disk size change when snapshots are attached
1698586 - Dynamic Dialogs no longer function

6. Package List:

CloudForms Management Engine 5.10:



These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By