-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat CloudForms security, bug fix, and enhancement update Advisory ID: RHSA-2017:1758-01 Product: Red Hat CloudForms Advisory URL: https://access.redhat.com/errata/RHSA-2017:1758 Issue date: 2017-08-02 Cross references: RHSA-2017:1367 CVE Names: CVE-2016-7047 CVE-2017-2664 CVE-2017-7497 CVE-2017-7530 ===================================================================== 1. Summary: An update is now available for CloudForms Management Engine 5.8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.8 - noarch, x86_64 3. Description: Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. The following packages have been upgraded to a later upstream version: ansible (2.3.0.0), ansible-tower (3.1.3), cfme (5.8.1.5), cfme-appliance (5.8.1.5), cfme-gemset (5.8.1.5), rh-ruby23-rubygem-nokogiri (1.7.2). (BZ#1456017, BZ#1459318) Security Fix(es): * CloudForms lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails applications portion of CloudForms to escalate privileges. (CVE-2017-2664) * It was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs). (CVE-2017-7530) * The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant. (CVE-2017-7497) * A flaw was found in the CloudForms API. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access. (CVE-2016-7047) The CVE-2017-2664 issue was discovered by Libor Pichler (Red Hat) and Martin Povolny (Red Hat); the CVE-2017-7530 issue was discovered by Tim Wade (Red Hat); the CVE-2017-7497 issue was discovered by Gellert Kis (Red Hat); and the CVE-2016-7047 issue was discovered by Simon Lukasik (Red Hat). Additional Changes: This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1374215 - CVE-2016-7047 cfme: API leaks any MiqReportResult 1435393 - CVE-2017-2664 CloudForms: lack of RBAC on various methods in web UI 1438562 - [RFE] External Auth - AD - samba-common-tools and deps missing from appliance. 1439309 - Not able to see orders when not enough permission to see catalogs 1441321 - Access (Cockpit and HTML5) are inconsistent between Service and OPS UI 1444505 - "Collect" button is absent on slave server log collection page 1449273 - VM Hostname not displaying when RHV has FQDN 1450082 - Failed to remove interface from router - HA env. 1450087 - Cloud Router Summary does not show subnets which connected it - HA env. 1450150 - CFME: Dialog for creating cloud volumes does not filter cloud tenants CVE-2017-7497 1450502 - [RFE] Custom Button must be supported at VM level in Service UI 1450518 - Openstack services missing on node page 1454445 - Containers with empty "imageID" field points to wrong images 1455685 - Azure provision still needs First/Last name 1456017 - [RFE] Install latest stable version of Ansible Core on the appliance. 1458333 - Containers - old archived container entities are not purged 1458337 - In my settings page at login Configuration management shouldn't be in Infrastructure 1458339 - It is impossible to identify the source process/appliance for each connection in pg_stat_activity 1458341 - reports do not distinguish between same name custom attributes with different sections 1458356 - [Ansible Embedded] - User not informed about Embedded Ansible role enablement 1458360 - Entering Ansible Repository Incorrectly does not provide feedback that creation fails 1458363 - [VMWARE]Auto_placement provision fails if best_fit host doesn't have selected VM Network 1458365 - Can not get kernel version from reports 1458374 - [Azure] - No floating IPs displayed for LBs in Network topology 1458377 - Various network object CRUD forms require better filtering 1458434 - Use $log.log_hashes to filter out sensitive data in Ansible Playbook service. 1458445 - Extra parameter in call to Job#set_status from `VmScan#call_snapshot_delete' 1458447 - GCE Boot Disk Size options should be sorted by actual size 1458448 - Remove specific EVM server from zone 1458454 - [RFE] Add legend to Graph in OpenShift Ad Hoc Metrics 1458892 - The credentials for Automate Git Repository wasn't updating the correct authentications type 1458896 - infinispinner on attempt to open Alarm/Status Change management events on Timelines page 1458899 - Deleting object store object redirects me to object store containers list 1458900 - Export button is enabled on Custom Reports page 1458919 - Action button for verifying replication subscriptions on the far right is to small 1458921 - Chargeback Report VM identification (UUID) 1458924 - Web console for AWS is trying to connect on private ip instead public one 1458925 - WEB Console defaults to the first IP Address when connecting to Cockpit with RHV VMs 1458926 - UI blows up while downloading Switch Summary as PDF 1458927 - Tag Group UI | "Save" button gets inactive after switching between tabs(Host&Cluster, My Company Tag) 1458930 - Topology View for HyperV is missing all relationships 1458934 - Container Explorer Page is not scalable 1458935 - Smart Management | Tag info is not appear on container detail page after edit 1458943 - [SDN] - no Instance details in Floating IPs table for LB IPs 1458945 - Middleware Manager Deployments Download .pdf contains duplicate .war entries 1458946 - customers unable to access CFME thru UI due to chronic unpredictable termination of httpd service 1458947 - get-inventory.ps is returning SCVMM internal temporary templates in addition to actual templates 1458951 - Host targeted refresh fails when using sdk (v4) 1459217 - [RFE] Azure managed images not discovered 1459225 - Check for blank password in database configuration to avoid postgres errors 1459227 - Benchmark timings are incorrect for all workers in evm.log 1459235 - SSA Fails in Windows workloads but not in Linux ones on OSP9 1459243 - Message 'Cannot edit VM. Physical Memory Guaranteed cannot exceed Memory Size' is logged as INFO in automation.log 1459247 - MIQ LDAP - Certain users with special attributes can't log in to services UI. 1459257 - Auth - MIQLDAP - FreeIPA - Can't switch groups in SSUI 1459258 - AWS S3 deleting object store object(folder) that has another objects in it does nothing 1459261 - vmreconfigure allows circumvention of quota and approval mechanisms 1459262 - When adding Disk with reconfiguration on vmware, after 16th Disk, a new controller is created hardcoded to Parallel Type 1459264 - [UI][RHV][VM Reconfigure] Disks section - "Delete Backing" Yes|No button stuck in the middle. 1459297 - Display notification message when search on Provider Topology page returns no records 1459306 - Retirement - log the zone when raising a retirement event. 1459318 - Azure refresh results in timeout errors 1459562 - Incorrect storage used in Chargeback reports 1459902 - Show tag info for playbook services 1459903 - No flash message after editing provider settings 1459923 - Error indicator does not display on the OpenStack New Infrastructure Provider form for the Default tab 1459928 - Raw methods exposed for Cloud Tenant instead of non-raw 1459929 - Unable to collect inventory for 40,000 container images, results in kubeclient timeout 1459940 - I can't change only volume name when editing gp2 type block storage volume(EBS) 1459944 - Tag Information Not Displayed on Catalog Items 1459959 - Calendar control on Cluster Utilization page gets clipped 1459962 - Ansible Playbook Service: Cannot update new dialog name and other UI issues 1459977 - Existing or Newly created service added to parent service via REST API or from automation is not visible in UI 1459986 - Error message displayed when adding playbook service catalog item to global region 1459989 - Service dialog is created without extra_vars 1459990 - Ansible playbook : Error when creating new dialog with existing dialog's name 1459992 - Resetting planning results in flash msg twice 1460000 - backup service fails due to: incremental=>true 1460002 - Unable to change rhevm credentials after upgrade from 5.6 to 5.8 1460004 - Parent tenant displayed in list view when allowed by RBAC 1460023 - containers: information under "Labels" is shown in reverse alphabetical order (z-a) 1460024 - Create a snapshot of this volume action is missing in Block storage volume list configuration menu 1460027 - Expose container projects and template parms in service model 1460031 - When provisioning VM, multiple emails with same content are sent 1460032 - Forbidden Error when creating a cloud network 1460033 - Pop-up with usercase occur if press "Edit" button after log collection via dropbox 1460034 - Failed to create subnet 1460036 - [VMWare][Topology] - wrong title of Clusters and Tags not displayed 1460265 - Tag Group UI | Cannot select single host, checkboxes are missing 1460293 - Custom Button: None credential is always used during Ansible Playbook Service provisioning 1460294 - Bulk assign_tags does not populate href properly 1460304 - Ansible Repository SCM Credential cannot be cleared after being set 1460307 - [RFE] Allow for deletion of group when users belong to another group 1460308 - Allow identify replicated interfaces on HA environments 1460309 - undefined method `status_ok?' for # causing post_scaledown_task to fail 1460310 - ContainerImage :registered_on field is wrong 1460316 - Custom button failing to execute 1460318 - Cloudforms causes a Token Storm on OSP10 overcloud 1460334 - RHV Host refresh fail on undefined method `detect' for nil:NilClass 1460339 - SmartState required automate server roles enabled on the worker has SmartProxy role enabled 1460348 - manageiq.api_token failing in playbook when using a multi-appliance deployment 1460349 - After killing reporting worker, report status still says Running 1460356 - Ansible Service Catalog Template Job not honoring provider zone 1460357 - Node Utilisation in Dashboard show more Nodes than avaible 1460359 - Remove policy checking for request_host_vmotion_enabled event 1460366 - Cannot suspend server role in CFME Region menu 1460372 - webadmin: template info is not shown correctly in several fields of Objects table 1460375 - Refreshing the ansible tower provider page does not load the View buttons 1460380 - Schedule Time value is reset during editing provisioning request 1460382 - Default number of topology items shouldn't be Unlimited 1460383 - HTML5 Console Title Reads as "ManageIQ HTML5 Remote Console" 1460384 - Search and advanced search is missing in Object Store Objects 1460385 - Unable to download aws volumes snapshot summary in PDF format 1460386 - When importing custom variables always "Choose the type of custom variables to be imported" appears 1460387 - Incorrect padding in Actions and Conditions selection screens 1460394 - Saved Reports getting deleted when deletes all finished reporting task from All Other Tasks page 1460396 - Failed while launching imported report based on Chargeback for Projects via REST API. 1460397 - Archived container entities are not destroyed when the provider is deleted 1460736 - ISO domain images are not displayed 1460755 - SSUI shows Manage IQ productization 1460761 - report vm and instances field 'Provision.Request : Approved By' does not apply any styling 1460776 - [RHOS] Cancelling 'Provision instance' action throws exception 1460777 - Some inconsistencies in Hosts listnav and Hosts Summary screen 1460781 - Tenants : Reset button not working in Tag Assignment page 1460791 - Unable to edit ansible repository by "Enter" pressing 1460792 - Filters not working properly in config mgmt configured systems 1460802 - Missing "data-id" attribute in Bootstrap select elements 1460803 - Embedded Ansible role does not migrate cleanly to another appliance 1460805 - failure of "Embedded Ansible " fails to install prevents that from ever installing 1460807 - Access Web Console Cockpit not compatible with Windows VMs 1460808 - service dialog saving elements when switching elements - cancel only reverts current element 1460809 - [RFE] - Add 'Verbosity' drop down on both Provisioning & Retirement tabs for Playbook Catalog Items 1461070 - The IP version (network protocol) is not displayed when editing cloud subnets 1461103 - Missing unit on VMDB Utilization page 1461142 - Impossible to graph multiple data-series in Ad-hoc Metrics if they are on different pages 1461143 - Service Retirement not working properly for Orchestration Stacks due to missing zone. 1461144 - Use of the new create_service_provision_request method is inconsistent with other create_*_request methods 1461161 - Log Collection fails via IPv6 1461165 - Cancel button remains disabled in Add interface to router page 1461169 - Valid SCVMM file share not showing up as datastore on host. 1461183 - Service catalog service dialog refresh function in cf 4.2 behaves differently from cf 4.0 1461456 - Export button for Custom Reports doesn't work 1461460 - [ALL LANG] Compute-Clouds-Tenants has missing translations for menu and table entries 1461467 - default report with timelines "Operations VMs Powered On/Off for Last Week" doesn't include instance events 1461475 - 'Restart Guest' is available on Vm without VMTools from 'On' state 1461485 - Editing Infrastructure Providers and Hosts from a list returns to details screen instead of back to list 1461513 - CloudForms 4.1 Child tenants are allowed to view other child tenants Service Requests 1461522 - Validation error: ems/core not defined while ContainerGroups in the "Pending" state 1461535 - Maintenance mode flag not being set on SCVMM hosts. 1461541 - Reports - Number of Nodes per CPU cores - Wrong Name of report 1461558 - OpenShift smartstate errors -unknown access error to pod management-infra/manageiq-img-scan-7f243: # 1461559 - Wrong RHV provider refresh error, when provider is down. 1461593 - subselection in access control role, not bubble up in tree display 1461596 - CloudForms Topology View shows Archived VMs 1461857 - provisioning from pxe fails when using ovirt sdk v4 1461860 - Add RHV provider using a bad hostname do not fail the validation in UI. 1461868 - [SDN][Tags] - Redirection to Network provider summary page page after tag is saved 1461869 - Tag Visibility | Cloud Stack: Tag is not added if stack list opened from provider detail page 1461956 - Reports - Number of Nodes per CPU cores - "Name" header 1461958 - it takes 10-20 sec to add column to new report when report is based on big fields set like Virtual Machines 1461988 - checkboxes on Control Policies->Event Assignments page aren't grouped/organized 1462287 - No spinner when waiting for Cloud Key Pair to save 1462309 - service now integrations for determining host_name return empty array 1462358 - Hourly metrics_## tables grow filling up the VMDB filesystem when real-time purges fail 1462361 - Openstack infra provider dashboard should not appear for an openstack infra provider 1462774 - VM provision via restapi fail, if the chosen data store name exist more than once in CFME. 1462779 - [Ansible Embedded] - Remove ssh keys fields from SCM credentials form 1462801 - Openshift refresh crashes due to template.objects being nil 1462844 - "" As a hawkular endpoint port passes validation, but prevents provider edit. 1462957 - [Microsoft]Reset option available from Details 1463275 - Add support for v4 of the RHV api in event monitoring 1463321 - Inconsistencies in Access Control for Automation - Ansible feature 1463381 - Replace nodejs010 with node from SCL in appliances 1463668 - Missing Memory graphs on Azure Availability zone Utilization page for daily interval 1463848 - static ipv6 primary DNS default fails 1464118 - VMRC does NOT work if CFME is accessed with IPv6 Address 1464151 - UI: Showing wrong flash message when "Check Compliance of Last Known Configuration" 1464153 - Floating IP: Cannot associate or disassociate a port 1464203 - Disk space issues when running upgrade from 5.7 to 5.8 1465448 - CVE-2017-7530 cfme: Execution of arbitrary methods through filter param 1466049 - SSUI : No Scroll bar to scroll to the bottom in service catalog page , Unable to provision service catalogs at the bottom 1466855 - Embedded ansible role fails to re-initialize after webui update 1468272 - Edit tag page doesn't work for filtered items 1468275 - [RFE] Trigger a refresh when adding/editing/deleting anything in CFME Block Storage(EBS) 1468281 - websocket connection leaks causing failed connections 1468285 - [CFME4.5]Configuring Multi-Region, Single LDAP Authentication, Synchronized RBAC/Resource. 1468292 - Navigation accordion on Cloud->Instances page fails 1468294 - SSUI : "Error loading Services" when clicked on "My Services" 1468295 - Non-admin users unable to see Catalog Items in SUI 1468296 - Display a warning for large number of objects in the Topology pages 1468336 - Unable to view Reports if a member has a custom Role - indefinite spinning wheel 1468337 - UI: infinispinner appears In the Report accordion 1468370 - Drop Down List Dialog does not keep default value for Integer type 1468376 - upgrade to CF 4.5 complains about "could not find nokogiri-1.6.8" during "rake db:migrate" 1468380 - Setting Start Page to Container/Explorer sets to URL to an invalid URL 1468700 - Azure refresh fails with private_ip_address property not found 1468703 - Azure refresh fails if provider has no orchestration stacks 1468729 - [Regression] Saved reports unavailable under Reports accordion 1469308 - Unable to select the Azure region UK South 1469560 - Collect container metrics is done until time.now instead of until end-time 1469653 - Some container resources not cleaned up after removal from Openshift - research 1469702 - performance issue in openstack collection 1470179 - the buttons of the html5 console do not work with windows vms 1470773 - [RFE] Buttons assigned to VMs should be available in Self Service UI 1470774 - in the self service portal after a little time displaying a vm, data changes to garbage data 1470800 - OSP: when validating an account with access to many projects, it checks each, and times out 1470812 - Validation Credentials fails for OSP 10 Provider with AD "domain" user 1470847 - Unexpected error encountered while switching maintabs to configuration manager provider 1471821 - Ansible tower job templates filters are not displayed 1472837 - [Regression] Error while generating Chargeback reports 1472841 - Setting static ipv6 address clears ipv4 address in appliance console. 1472842 - After setting ipv6 to dhcp its not possible to set it back to static 1473336 - Service Requests are not seen by user in Global Region 1473424 - Firewall rules prevent appliance from getting a dynamic IPv6 address 1473787 - Ansible workers not starting 1474504 - Unable to navigate through the service requests due to a template error on "split" 6. Package List: CloudForms Management Engine 5.8: Source: ansible-2.3.0.0-1.el7.src.rpm cfme-5.8.1.5-1.el7cf.src.rpm cfme-appliance-5.8.1.5-1.el7cf.src.rpm cfme-gemset-5.8.1.5-1.el7cf.src.rpm rh-ruby23-rubygem-nokogiri-1.7.2-1.el7cf.src.rpm noarch: ansible-2.3.0.0-1.el7.noarch.rpm x86_64: ansible-tower-server-3.1.3-1.el7at.x86_64.rpm ansible-tower-setup-3.1.3-1.el7at.x86_64.rpm cfme-5.8.1.5-1.el7cf.x86_64.rpm cfme-appliance-5.8.1.5-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.8.1.5-1.el7cf.x86_64.rpm cfme-debuginfo-5.8.1.5-1.el7cf.x86_64.rpm cfme-gemset-5.8.1.5-1.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-1.7.2-1.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-debuginfo-1.7.2-1.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-doc-1.7.2-1.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-7047 https://access.redhat.com/security/cve/CVE-2017-2664 https://access.redhat.com/security/cve/CVE-2017-7497 https://access.redhat.com/security/cve/CVE-2017-7530 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZggvnXlSAg2UNWIIRAkFqAKCIpBg3VoabukKkwW7Ou7VI5Bq0pACfamJG SghJ0uQOW0qLVlXB4KEUn3g= =Jngf -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce