-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: CFME 5.6.3 security, bug fix, and enhancement update Advisory ID: RHSA-2016:2839-01 Product: Red Hat CloudForms Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2839.html Issue date: 2016-11-30 Cross references: RHSA-2016:25227 CVE Names: CVE-2016-5402 ===================================================================== 1. Summary: An update is now available for Red Hat CloudForms 4.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.6 - x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Security Fix(es): * A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as. (CVE-2016-5402) This issue was discovered by Simon Lukasik (Red Hat). Additional Changes: This update also fixes various bugs and adds several enhancements. Notable changes include: Changes to the Automate component: * This release of CloudForms allows provisioning of a virtual machine without specifying a host but validating a cluster. CloudForms now validates if either a host or cluster is selected when provisioning on VMware. (BZ#1378116) Changes to the Providers component: * In the previous version of CloudForms, when attempting to open a VNC console to an instance, CloudForms failed to connect because the instance did not exist for that tenant - it attempted to use the wrong tenant. This update specifies the tenant when opening a VNC console which has resolved the issue. CloudForms is now able to connect successfully without an error. (BZ#1370207) Changes to the Provisioning component: * In the previous version of CloudForms, cloning a VMware template failed when the target datacenter was nested below multiple folders. This was because if the datacenter was nested logically under various folders, users were unable to find the placement ID during an autoplacement VMware provision request. This fix always does a lookup of the folder path from the host datacenter instead of statically setting a possible wrong default value which has resolved the issue. (BZ#1361174) Changes to the Replication component: * In the previous version of CloudForms, subscription validation failed for replication subscriptions which were successfully saved. This was because the validation was done directly by the UI which did not have access to passwords of currently saved subscriptions. The validation would pass when the user enters the password when initially saving the subscription, but failed once the subscription needed to be retrieved from the database. This update has fixed the failing validation on saved replication subscriptions. (BZ#1378554) Changes to the vulnerability component: * A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as. (BZ#1357559) * In the previous version of CloudForms, when trying to save filters in Subnets/Routers/Security groups/Floating IPs/Network ports exception appeared. This was caused due to missing routes for network resources. This update adds missing routes for network resources and the issue has now been resolved. (BZ#1370573) * In the previous version of CloudForms, My Filters in datastore was unclickable and no filters were shown under it. This update enabled My Filters in datastore and the issue is now resolved. (BZ#1379727) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1346967 - unable to bring VM out of retirement from details page 1346969 - when a user in a child tenant executes create_provision_request the miq_request has the wrong tenant id 1347002 - No flash message displayed for terminate stack instance when navigated through stack summary page 1349413 - The chargeback report gives wrong information 1357559 - CVE-2016-5402 cfme: RCE via Capacity & Utilization feature 1358324 - Error while configure CFME to use IPA 1361174 - VMware-Cloning a template fails when the target datacenter is nested below multiple folders 1362632 - After changing the locale to Japanese or Chinese, title is diplayed as "ManageIQ" instead of CFME 1368162 - [Ansible Tower] No flash message when provided bad credentials 1368172 - [Ansible Tower] Sorting in Configured systems table breaks "All Ansible Tower Providers" 1370207 - Cloudforms attempts to connect to he wrong tenant to reach an instance 1370570 - C&U - WEB UI crashes when moving from calendar to daily/hourly selection 1370573 - When trying to save filters in Subnets/Routers/Security groups/Floating IPs/Network ports exception appears 1370576 - Provider summary page has an additional authentication when editing Provider details. 1372768 - UX: Error message too vague when creating new automate domain / namespace / object 1375206 - VirtualDelegate: Fix foreign key for belongs_to 1376145 - default placement folder name in vmware varries depending on localization 1376514 - Advanced search tag type expression missing main object tags in drop down for newer objects 1376516 - EC2 instances IP Addresses are not shown in summary when instance is not in VPC 1376519 - Tag Control fields not working in Self-Service UI 1376521 - Configuration Management icons are barely visible 1376525 - Requested value is always shown as zero in quota exceed messages. 1376526 - EC2 provisioning instance in VPC with EIP error 1377417 - [RFE] OpenSCAP results --> Severity should be differentiated with adequate colors 1377418 - db:migrate failure during upgrade from 3.2 to 4.1 1378116 - [RFE] Cluster selection when deploying a vm on VMWare 1378173 - Copied user doesn't inherit password, but in UI it looks like it did 1378554 - Validation fails for previously saved replication subscriptions 1379692 - Multi-tenancy - not user friendly name of tenant in 1379693 - Nilclass for servicetemplateprovisionrequest_pending method 1379694 - C&U memory graphs are missing for Azure instances 1379697 - Can't retire amazon instance 1379727 - My Filters in datastores are not shown 1379728 - Upgrade to 4.1 fails to start due to widget errors 1380107 - provider fails to validate with IPv6 interface 1380170 - self-service UI allows duplicate items in cart 1381624 - Instance provisioning failure ''The requested availability zone is not available'' 1382072 - .missing is missing for Azure events, causing ERROR in the logs 1382074 - Useless scrollbar under left submenu panel after selecting submenu 1382164 - Incorrect hover text for Edit tags button 1382406 - Cannot cancel clone via policy with cancel vcenter task 1382408 - Receiving Azure::Armrest::ApiException during a provider refresh after successfully adding the provider 1382753 - No longer select 'Discovered virtual machine' as a default folder 1382819 - Error When Trying to Create Service Dialog from Heat Orchestration Template 1382826 - Downloaded text report does not contain Instance details 1382834 - Global filters are sometimes saved as regular filters 1382835 - Azure Orchestration template no longer defaults to Default. 1382836 - Cloud Providers authentication not re-validated after save 1382837 - Reordering tenant Automate domains breaks root domain ordering 1382846 - Filters in My Filters set as default filter are missing label (Default) 1382847 - Compliance history is broken for a VM 1383368 - Error IPMI is not available on this Host 1383466 - Update download_template to use RestClient instead of open-uri for Azure 1383469 - Improve performance by skipping asset pipeline resolution for Service nodes 1383470 - Allow the root folder to be the default location for auto placement VMWare provisioning 1383497 - Optimize memory usage by making object in hash reference small 1385156 - Need to translate Compute -> Infra -> Datastores -> [A Datastore] -> Files -> [A file] 1385173 - Key Pairs: wrong quadicon displayed 1386792 - Alerts don't send SNMP traps 1386793 - Button edit dialog title is incorrect 1386794 - There is no "Trap Number" string in the alert details screen 1386797 - Can not generate txt/pdf drift report of SSA 1388984 - Inventory Refresh failing for Container Provider. 1389025 - Traceback during evaluation of alert when duration is not set 1389760 - [RFE] events are not available through the vm object 1389790 - Cannot add or copy alerts 1390697 - Auto-tagging from same label in 2 providers breaks refresh 1390698 - Auto-tagging from name=value and name=VALUE labels breaks refresh 1390724 - External Authentication configuration fails after setting hostname in appliance console 1391710 - Cloud instance does not have relation to service 1391721 - OpenStack identity.authenticate should be filtered by CloudForms 1391764 - ServiceTemplateProvisionTask not honoring provider zone 1391980 - Auto-tagging tag categories can't be used in reports 1392561 - 'Update External Authentication Options' option not available in cfme 1392964 - Some predefined alerts send emails to incorrect recipient 1393061 - Background & custom logo image not showing in http service after upgrading to cfme-5.6.2.1 1395305 - [RFE] Containers should have "My filters" and advanced search same way as other providers 1396665 - VM chargeback cost computed as if VM were used for 24 hours, even though it was used for < 24 hours 1397093 - Cannot Log in with username and "password+OTP TOKEN" 1397095 - ext_auth ipa user group retrieval failed with no error message, even after UI spinner takes long time. 1397516 - when ext_auth configured with ldaps through sssd, groups retrieved as "groupname@domain.com" 1399285 - Changes to class attribute default value are discarded 6. Package List: CloudForms Management Engine 5.6: Source: cfme-5.6.3.3-1.el7cf.src.rpm cfme-appliance-5.6.3.3-1.el7cf.src.rpm cfme-gemset-5.6.3.3-1.el7cf.src.rpm freeipmi-1.5.1-2.el7cf.src.rpm x86_64: cfme-5.6.3.3-1.el7cf.x86_64.rpm cfme-appliance-5.6.3.3-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.6.3.3-1.el7cf.x86_64.rpm cfme-debuginfo-5.6.3.3-1.el7cf.x86_64.rpm cfme-gemset-5.6.3.3-1.el7cf.x86_64.rpm freeipmi-1.5.1-2.el7cf.x86_64.rpm freeipmi-bmc-watchdog-1.5.1-2.el7cf.x86_64.rpm freeipmi-debuginfo-1.5.1-2.el7cf.x86_64.rpm freeipmi-devel-1.5.1-2.el7cf.x86_64.rpm freeipmi-ipmidetectd-1.5.1-2.el7cf.x86_64.rpm freeipmi-ipmiseld-1.5.1-2.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-5402 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYPzc+XlSAg2UNWIIRAvc7AKCbRWk1IhMospc1buXufp+g4wyRpQCgskW5 sLfh0QMng2HE4SKb9buRE2k= =2idz -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce