-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: CFME 5.7.1 bug fixes and enhancement update Advisory ID: RHSA-2017:0320-01 Product: Red Hat CloudForms Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0320.html Issue date: 2017-02-27 Cross references: RHBA-2016:24540 CVE Names: CVE-2017-2632 ===================================================================== 1. Summary: Updated cfme packages that fix bugs and add various enhancements are now available for Red Hat CloudForms 4.2. 2. Relevant releases/architectures: CloudForms Management Engine 5.7 - x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view controller (MVC) framework for web application development. Action Pack implements the controller and the view components. This update fixes various bugs and adds several enhancements. Documentation for these changes is available in the Release Notes linked to in the References section. Security Fix(es): * A logic error in valid_role() in CloudForms role validation could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate privileges. (CVE-2017-2632) This issue was discovered by MatouA! MojA3/4AA! (Red Hat). All CFME users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1382768 - My Filters in datastores are not shown 1390729 - [Azure] - No LB icon/button in Network topology 1390731 - clicking on Unassigned Profiles Group from satellite provider 1391748 - [ja_JP] Translations are missing in 'Compute'-'Infrastructure' menu and its sub menu pages 1391750 - [ja_JP] Translation issues observed on cloud intelligence->Reports->reports page. 1391757 - [ALL LANG] Not fully localized on Clouds -> Providers page. 1394331 - Compare,Drift views missing in VM and drift comparison pages 1394339 - Missing "Items per Page" in Paginator with 5:4 or 4:3 screen ratio resolution 1394341 - Updating the default GTL view settings does not work for cloud key pair page 1394844 - Unexpected error when clicked on edit cloud provider after deleting cloud provider 1395304 - [RFE] Containers should have "My filters" and advanced search same way as other providers 1395839 - UX: Hovered redhat insights menu item text interferes to its arrow 1395840 - Service dialog editor drop down list Refresh problem 1395857 - OCP nodes showing as "not ready" in topology view but as "Ready" in Container Node view 1395898 - UI: 'Lifecycle' button is still alive, when no providers 1396222 - Middleware - Missing Alt on Add Datasource form buttons 1396238 - Middleware Provider - Timelines: JS Error and endless load 1396239 - Middleware - Support of MariaDB Datasource type 1396240 - Orchestration template : Unable to add Vapp Template 1396241 - [beta1] vm console icon not rendering correctly 1396243 - Spinning UI activity overlay stuck/infinite when using advanced search 1396575 - [ALL LANG] Middleware - Servers - Datasource - C&U screen has untranslated entries 1396576 - Some of the Power Operation strings are not getting extracted in the i18n gettext catalog for SUI 1396577 - when I scroll tables in provisioning dialog, table header is scrolled along with table contents 1396580 - Vmware Storage Profile is not shown in Provisioning Request 1397151 - [RFE] Unknown operating system for AWS instances 1397154 - tooltips for group of events in timelines don't look good 1397157 - date picker control appears under navigation bar in timelines view 1397158 - sometimes event text appears partially beyond the tooltip's bounds 1397159 - timelines control displaying current cursor position on timescale is annoying and unusable 1397248 - pods are named 'container groups' in the policy explorer right cell 1397416 - UI: Hover text is required for Help "(?)" 1397509 - many vm create/remove/stop/start Azure events are absent in timelines though present in DB 1397532 - [ja_JP] Need to change the strings on storage manager ->Monitoring -> Timelines -> Options for "Management Events" and "Policy Events" 1397874 - [ALL LANG] Compute-Container-Container nodes has untranslated entries 1399207 - vm.create_snapshot fails for rhev vm with undefined method `create_snapshot' 1399208 - [Multi-tenancy] - RFE - Disable renaming of Tenants created by tenant mapping 1399209 - Text does not appear when hovering over VMs & instances 1399211 - Infrastructure Topology legend buttons inaccuracy 1399214 - Cloud provider list view has bad region value 1399216 - giving access to view the quota of a tenant but not listing still allows a user to list all tenants 1399221 - [RFE] NFS41 storage type not supported for SmartState Analysis 1399669 - "Starting Date" in scheduled report is always next day; cannot be set to another day 1399677 - [RFE] Add settings key to disable console proxy 1399679 - [RFE] Launch an URL returned by an automate button 1400202 - [ALL LANG] Compute - Clouds - Instances - Instances by Provider has missing translations 1400204 - Filter out events from Azure Classic providers 1400212 - [Beta 1] lack of consistency in Custom Logo UI.. Check box and Yes/No Slide 1400303 - SSUI: My Request submenu needs translation when language is selected 1400616 - Power ops showing as available for an Archived vm. 1400704 - Documentation via SSUI opens up in the same SSUI window instead of a new tab/window 1401017 - Cloud Intel->Timelines->Events->Policy timelines(reports) have a really inobvious names 1401018 - VM reconfigure: submit is disabled, when memory new value is set after add disk 1401030 - [Amazon EC2][SDN] - Network provider not refreshed weirdness with tenancy 1401044 - Back, reload and configuration toolbar buttons are misplaced on Pxe page 1401103 - Unable to set retirement date for Stacks 1401935 - Heartbeat failure for workers is not reported as ERROR log line but INFO log line 1401956 - Sort providers table crash 1401957 - Unable to perform any actions on cloud objects from list view when navigated to cloud tenants 1402118 - appliance_console is unable to set time-zone for america/argentina "Failed to apply timezone configuration" 1402138 - [RFE] Default database name when setting up global replication subscriptions 1402139 - Automate Customization: When editing automate button, it doesn't remember previously saved button image and display field values. 1402162 - Subnet form needs to allow ipv4/ipv6 selection during create, and lock ipv4/ipv6 and CIRD during edit 1402524 - UI: Configuration -> Access Control - On User/Group/Role summary screens text is no longer a link 1402526 - Alert profiles assignments have container providers under cloud/infrastructure providers 1402527 - [Networks Topology] - LB Tags not shown in Topology 1402528 - Azure : Instance name restriction should be shown in UI when creating a catalog item for Azure 1402529 - No option to see next page in "services-->requests" 1403011 - C&U Configuration Screen does not display anything 1403019 - Azure instance disks not deleted 1403981 - Create snapshot has memory checkbox, even though VM is Down. 1403983 - After performing an upgrade, no role workers start on new appliances 1404316 - RHEV VM Reconfigure: Hot plug CPU & memory together, pass on CFME, though memory hot plug fail on 256 multiply 1404365 - Order Service drop-down for "App Name" no longer allows for search filter 1404427 - "audit log" is logged with "new_value" instead of actual data when new user is created. 1404431 - provisioning instance fail: FATAL -- : Error caught: [NoMethodError] undefined method `[]' for nil:NilClass 1404447 - Empty lists in Chrome 1404454 - VMware Auto Placement issue with insufficient space on Datastore 1404526 - Folder relationship change causing a re-classify of all children VMs 1404669 - Tenant cannot import datastore without datastore being locked 1404746 - Retirement state machine does not handle Ansible Tower services when part of a bundle 1404825 - Unable to trigger a smartstate scan from the clouds Instances view unlike infra vm view 1404827 - [RFE] CloudForms 4.1 unable to add Azure Gov Cloud Provider 1405193 - Unable to specify disk size in IE11 when adding additional disk 1405197 - When exporting reports into PDF only half of the data is displayed 1405200 - Can't create an alert 1405201 - VMs & Templates links point to Host & Clusters in the relationship accordion 1405640 - Subnet CRUD actions do not use task queue 1405641 - Network CRUD actions do not use task queue 1406160 - Floating IP/Security Group actions missing corresponding events 1406161 - Floating IP/Security Group Create Task Queues have reversed method names 1406163 - Unable to delete the subnets for azure,ec2 and gce providers 1406167 - Timelines not displayed on the Configuration->Diagnostics page 1406434 - Default validation for data type is not properly set when adding a new TextBox field 1406798 - event info tooltip appears only for first clicked event in timelines 1408278 - Add Access button group to Cloud Instance and move the HTML5 icon to it 1410516 - Impossible to login in SSUI due to ERROR on SSUI Dashboard 1410535 - Chargeback per time is limited to hourly 1410587 - [ALL LANG] Services - Workloads - Provision has untranslated tab names and labels 1410588 - Floating IP CRUD UI Missing 1410791 - "Selected Day Percent Utilization" graph is absent 1410817 - Remove 'execute method' checkbox from Automation Schedule UI 1410818 - Filter out all the host controllers (except the domain ctrl) when 'counting' how many domains there are 1410819 - Fixed associations for network_port and openstack network_port service models 1410828 - [RFE] Find Azure orchestration stack failure from its operations 1410831 - Wrong label in c3 chart click menu 1410844 - [RFE] Include log output in automation.log 1410845 - Can't remove retirement date 1410846 - We might not be purging all tables that we should be 1410851 - Expose custom_attribute methods to ext_management_system service model 1410927 - Retire Service screens returns to Request page rather than staying on the My Services page 1411350 - Middleware provider reports the incorrect name of the domain 1411351 - Make container node web console button match vm's 1411353 - some of timelines controls have wrong text style 1411357 - Setting relationship data for generic objects in automate does not work 1411358 - UI : Pinning the service menu shows "Red Hat Insights" menu 1411359 - launch_ansible_job doesn't support multiple Ansible Tower providers in CloudForms 1411362 - URLs might not be generated properly due to string conversion issue 1411364 - [RFE] Support container/infra/cloud provider policies in the UI 1411368 - Tag Visibility - Container builds should honor tag visibility 1411369 - [RFE] CAPABILITY_IAM error after IAM role assignment with amazon cloudFormation template 1411370 - Unexpected Error when attempting to run Compliance of Last Known Configuration 1411372 - [Ansible Tower] - Search bar missing when navigated to Config manager e.g. from Compute 1411373 - Service : Click on stack from service Page shows "Invalid Input" 1411433 - Cloud Instances List View Table missing cells/improper rendering 1411459 - Display parent tenant only when it is allowed by RBAC 1411461 - TimeLine accordion broken on Storage Managers summary page 1411463 - [Beta 1] OpenStack Cloud Topology View: Icons are different in the selection and the main body for Availability Zones: 1411466 - Allow adding custom attributes with sections 1411471 - [Beta 1] When graph is close to border, menu is not visible 1411473 - Expose miq_groups to Automate 1411478 - Metrics Collector Workers memory threshold displayed as 200MiB in the Web UI, however they exit at 500MiB threshold 1411507 - [RFE] better traceback for Ansible Tower API errors 1411509 - Can't save retirement date without notification 1411511 - Notifications - subject may not have tenant. 1411514 - "Show detailed events" checkbox of Timelines view removes main events from the timelines 1411516 - [negative] Deleting subnet connected to instance raise 'Unexpected error encountered ' 1411517 - can't add cloud provider with the same name again 1411518 - Service catalog Item entry point dialog text is overcomplicated 1411519 - [RFE] Security Groups missing CRUD UI 1411791 - VM details cluster field vanish, after update VM to another cluster. 1411793 - Typo on Middleware JMS Topic chart(Messages) and legends are in mix of plural or singular form 1411797 - Throws an Unexpected error while comparing clusters 1411878 - appliance_console crash when running Logfile Configuration without setting up database first 1411880 - VM's owner can't access VMs if "Username" field contains uppercase letters 1411881 - policy events appear w/o information which entity those belong to in Timelines 1411882 - undefined method `[]' for nil:NilClass [dashboard/tl_generate] while accessing Cloud Intelligence->Timelines page 1411885 - Incorrect zoom out icon on C&U graphs 1411941 - [RFE] Chargebacks for SCVMM 1411973 - In the tree view subcategories should not be opened, because there is so big list then 1411975 - Missing flash message after Middleware "Add Datasource" operation and wizard not reset 1411982 - UI: Add new Cloud Volume must be disabled when there is no cloud provider present. 1412206 - Selecting a Group Causes UI to Spin Indefinitely 1412221 - Discrepancy in costs reported between daily and monthly Chargeback reports 1412279 - Database replication is failing for LVDC 1412280 - Manipulation of custom_custom attributes on provider class Provider fails 1412283 - Chargeback rates should also be available for "daily" 1412284 - VM console button superfluously warns it may fail 1412285 - $websocket_log level is not configurable 1412286 - 'Show Full screen report' option missing in Configuration button on Saved Reports page 1412287 - Relax email validation constraints 1412288 - Generate notification for VM Provisioning error in automate 1412289 - Generate notification for Service Provisioning error in automate 1412290 - Attach/detach for Cloud Volume fails with "unknown method get_checked_volume_id" error 1412291 - Namespace: Name uniqueness validation is not case-insensitive, like other Automate objects. 1412293 - SSUI: Hand pointer on service icon 1412312 - Refresh failed when adding an OSE provider 1412314 - Filters are sometimes saved with different name 1412315 - When saving filter sometimes errs Name has been taken even when there was no filter with same name 1412316 - Saving filter errs Search Name is required even when value is filled in 1412383 - [RFE] Add performance based reports for OSE/OCP providers 1412396 - Host Summary for VMs report failing 1412682 - Issue with fog-openstack 'update_quota.rb' 1412738 - Use proper name of column in tooltip in charts 1412740 - Add validation message for chart with values 1412825 - [RFE] google provider connection using http_proxy configured in CloudForms 1413086 - Incorrect tooltip message displayed on region diagnostics configuration button 1413103 - Service dialogs items(tabs/boxes/elements) can be saved even when it doesn't fulfill requirements 1413113 - Error in my settings after timeout 1413119 - Removing actions from VM Compliance Check event removes the event from the compliance policy 1413123 - Tenant admin can create a super admin 1413154 - Clarify the "dedicated database instance" prompt in the console 1413167 - Wrong zone set for appliances in global region 1413205 - In Dashboard view for infrastructure, Recent hosts and Recent VMs are not filtered by provider 1413207 - Error in changing the RSA Key of an OpenStack Director provider 1413210 - SSH RSA key validation fails with error for OpenStack Infra Provider 1413212 - [RFE] Routers do not allow you to add/remove interfaces 1413621 - Check compliance of last known configuration crash 1413677 - Network Router provisioning must call and use raw create method 1413695 - [beta1] Openstack attach volume should only list available volumes in the drop down 1413769 - The counter ae_state_retries is not incremented if $evm.root['ae_result'] = 'retry' is set in a state machine on_exit method 1414012 - Provider under catalog item visible for a user who don't to have a permission for viewing a provider 1414013 - [RFE] - Expose mechanism in AUTOMATE allowing coder to indicate that the automate retry should be targeted to the same machine initiating the retry 1414014 - A tag control element in a dialog called from a button is not passed to the button method 1414015 - "abandon changes" dialog appears on attempt to open another location via menu from timelines page 1414550 - "Delete" was removed from Power Action in VM Details Menu 1414583 - SSUI lets you save a retirement date from the past 1414848 - The chargeback report gives wrong information 1414870 - Created filters in Virtual Machines are not displayed in the tree until the page is refreshed 1414872 - Adding filter in Datastore Clusters results in missing tree view 1414876 - Created filters in datastores are not displayed until the page is refreshed 1414882 - podfying cfme: please add "less" command to initial application deployment 1414884 - net-tools RPM not available on CFME containers (podified or monolithic) 1414885 - OpenStack VM Console returns with an argument error 1414886 - Central Admin - Impossible to distinguish Customize Templates 1414887 - Suspending role in diagnostics Error caught: [ActiveRecord::RecordNotFound] Couldn't find MiqServer with 'id'=0 1414888 - No flash message when importing custom report 1414889 - Broken string in Title 1414891 - Containers SmartState analysis not working for images from unknown image registry, 1415217 - Tenant admin can create groups for other tenants 1415247 - Target refresh of VM does not update host 1415248 - Missing memory unit on Cluster Utilization graphs on provider dashboard view 1415332 - A critical section read of the worker's heartbeat information was not protected with a mutex 1415333 - Ec2 events are not associated to vms 1415754 - SSUI: Unable to save a blank retirement date to remove previously saved retirement date 1415755 - podfying cfme: clean-up evm.log in the cfme pod 1415756 - [Azure LB] - broken table in List view 1416001 - [FloatDomainError]: Infinity Method in Chargebacks for SCVMM 1416077 - Live migration to different cluster doesn't work for RHV 1416093 - Same value gets repeated multiple times on Y-axis of C&U graphs 1416821 - VHD image for AWS mounts database drive as /mnt 1416826 - VMware EMS Refresh fails with "block (2 levels) in getMoPropMulti' error 1417197 - New fields (e.g. tags, custom attributes) do not appear in Report Editor 1417974 - refresh of OCP 3.2 crashes with permission error in recovery 1418400 - Impossible to assign an alert profile 1418749 - authentication_key exposure missing from EMS service model in 4.2GA 1418846 - Discrepancy in resource usage reported between daily, weekly, monthly Chargeback reports 1419186 - [Regression]Error generating Chargeback reports 1419680 - Container Provider: Image Registries are not collected from Images originating from Openshift 1419738 - SSUI: Clicking on the 'Total Requests' link on SSUI Dashboard doesn't take you to the Requests page 1420555 - Service dialog dropdown differs from what is processed by service request 1420888 - [RHV] VM provision->Environment-> host list decreases, after 1 or more Vm provision 1420916 - Refresh of infrastructure provider fails with bad request with OSP director as provider 1420917 - Refresh of OSP10 OpenStack/Director undercloud failing 1422178 - Adding disk to a VM in RHV provider, via VM reconfigure, does not activate it 1422241 - Utilization data for OSP cloud instances does not show up 1423031 - VMware : Failure in snapshot revert 1423033 - Timeline's minus button is corrupted in IE11 1424260 - BootstrapTreeview loses the focus after creating or deleting Container Policies 1424275 - UI: "Check Box" label is not aligned properly. 1424977 - CVE-2017-2632 cfme: tenant administrator can create a group with higher permissions 6. Package List: CloudForms Management Engine 5.7: Source: cfme-5.7.1.3-1.el7cf.src.rpm cfme-appliance-5.7.1.3-1.el7cf.src.rpm cfme-gemset-5.7.1.3-1.el7cf.src.rpm x86_64: cfme-5.7.1.3-1.el7cf.x86_64.rpm cfme-appliance-5.7.1.3-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.7.1.3-1.el7cf.x86_64.rpm cfme-debuginfo-5.7.1.3-1.el7cf.x86_64.rpm cfme-gemset-5.7.1.3-1.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-2632 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYtVPNXlSAg2UNWIIRAsC1AJ4qOzb02NT6K1ppidwPPVEzcAb1FwCfeAHs BxnwwMOjeC6xMMIWq0uFB0E= =1k/n -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce