-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: CFME 5.6.2.2 security, and bug fix update Advisory ID: RHSA-2016:2091-01 Product: Red Hat CloudForms Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2091.html Issue date: 2016-10-20 Cross references: RHSA-2016:1996 CVE Names: CVE-2016-7071 ===================================================================== 1. Summary: An update for cfme is now available for Red Hat CloudForms 4.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.6 - x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Security Fix(es): * CloudForms did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM. (CVE-2016-7071) This update also fixes several bugs. Documentation for these changes is available in the Release Notes linked to in the References section. All CFME users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1385887 - Ordering catalog item is not working after an update to 5.6.2.1 1385898 - [regression] cannot set default values in service dialogue 6. Package List: CloudForms Management Engine 5.6: Source: cfme-5.6.2.2-1.el7cf.src.rpm cfme-appliance-5.6.2.2-1.el7cf.src.rpm cfme-gemset-5.6.2.2-1.el7cf.src.rpm x86_64: cfme-5.6.2.2-1.el7cf.x86_64.rpm cfme-appliance-5.6.2.2-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.6.2.2-1.el7cf.x86_64.rpm cfme-debuginfo-5.6.2.2-1.el7cf.x86_64.rpm cfme-gemset-5.6.2.2-1.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-7071 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYCN7AXlSAg2UNWIIRAkRLAKCaNGf1BigZ1dX1zBquLIjSAGCfPQCfdJ90 yKyytD19sJStGh9KyMlq7fc= =dqNs -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce