-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat CloudForms security, bug fix, and enhancement update Advisory ID: RHSA-2017:3005-01 Product: Red Hat CloudForms Advisory URL: https://access.redhat.com/errata/RHSA-2017:3005 Issue date: 2017-10-24 Cross references: RHSA-2017:1758 CVE Names: CVE-2017-11610 CVE-2017-12148 ===================================================================== 1. Summary: An update is now available for CloudForms Management Engine 5.8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.8 - noarch, x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. The following packages have been upgraded to a later upstream version: ansible-tower (3.1.5), cfme (5.8.2.3), cfme-appliance (5.8.2.3), cfme-gemset (5.8.2.3), rabbitmq-server (3.6.9), rh-ruby23-rubygem-nokogiri (1.8.1), supervisor (3.1.4). (BZ#1476286, BZ#1485484) Security Fix(es): * A flaw was found in Tower's interface with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as. (CVE-2017-12148) * A vulnerability was found in the XML-RPC interface in supervisord. When processing malformed commands, an attacker can cause arbitrary shell commands to be executed on the server as the same user as supervisord. Exploitation requires the attacker to first be authenticated to the supervisord service. (CVE-2017-11610) The CVE-2017-12148 issue was discovered by Ryan Petrello (Red Hat). Additional Changes: This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1439650 - Tenant and catalog information missing in Service Catalog Item Being Tagged 1459987 - Changes to timeout setting should not require evmserverd restart 1459996 - [RFE] Add support for virt v2v 1460754 - containers: containers analysis task results - user is system and owner is empty 1461061 - Add rate view option for counters in Ad-hoc Metrics 1465087 - Service template provisioning request do not honour quotas 1465089 - "Items" keyword in the dropdown list values of Default Items Per Page in my settings 1471709 - Default landing page is not showing "storage page" related options for custom made role 1476143 - CVE-2017-11610 supervisor: Command injection via malicious XML-RPC request 1477194 - AD with external auth, When doing group lookup for user group SID number is displayed instead of Group name 1477616 - Validation failed: Status is not included in the list 1477701 - Error caught: [NoMethodError] undefined method `[]' for nil:NilClass for REGULAR EXPRESSION MATCHES report 1477702 - UI: Unable to edit Compliance Policy Scope condition. 1478367 - 400 Bad Request Provision Error 1478372 - All start page entries must be updated to include the new navigation 1478379 - We do not check the base unit when creating the unit label 1478391 - Limit ansible playbook catalog item description 1478398 - Fields change in Advanced search in Automation -> Ansible Tower page 1478400 - Delete saved report button is not available on the configuration tab on report summary page 1478406 - Link to PV summary pdf broken 1478407 - [RFE] Create Backup for Cloud Volume should have force checkbox 1478409 - Error caught: [NoMethodError] undefined method `+' for nil:NilClass 1478415 - [Azure] User password limitations are not working correctly 1478418 - [RFE] Add support for VM "Restart Guest", for RHV provider 1478421 - Enabling Capacity & Utilization without filling C&U credentials generate repeated Errors in evm.log 1478428 - Default capture_threshold value for OpenShift object types is too low 1478429 - 'Ansible Tower' should not be mentioned in CloudForms notification when using Ansible Automation Inside 1478434 - prevent two miq servers from starting 1478435 - found as option in drop down service dialogs 1478436 - Remote VNC/SPICE consoles lack logging when the remote endpoint is inaccessible 1478506 - inconsistent response when deleting nonexistent VM snapshot using API 1478508 - Not able to retire VM/instance via API unless "Set Retirement Date" feature is checked for role 1478510 - [POD] database.yml and GUID collected as link after log collection in podified appliance 1478513 - Configuration Manager name change not displayed 1478515 - Accessing the 'manager' association of a ManageIQ_Providers_EmbeddedAnsible_AutomationManager_Job service model gives a NoMethodError exception 1478523 - Productized border at top of page should be red not blue 1478526 - Unable to save trusted forest Settings 1478527 - CFME crashes in case of description field not found 1478529 - Tag|Ansible Job template| Page refreshes after try to navigate to template detail page from edit tag page 1478532 - In case system project not exsit, no filters load on Ad hoc metrics 1478535 - Boolean user input filter should be select bar to prevent exceptions 1478542 - SUI : Start/Stop operation on any service hides the top button menu bar 1478544 - After applying errata 5.7.3.2 some dialog field default values are missing in the self-service portal 1478554 - Not possible to refresh automate from GIT using API call 1478557 - Tag with Key 'Name' and a nil Value Breaks Refresh for AWS 1478558 - Container build pods are linked to build configurations from wrong namespaces 1478560 - RHV provider does not trust certificate authorities from the system CA database 1478562 - [VMWARE]Auto_placement provision into DVPortGroup fails on Virtual Center 6.5 1478563 - [RFE] Warning message on "admin" username during Azure provision 1478565 - Error generating reports after upgrading to 4.5 1478568 - Builds are connected to pods from different namespaces when builds have the same names 1478571 - Cloud volume operations are blocked by "Must filter on valid attributes for resource" error 1479367 - Provisioning to MS SCVMM Uses host.name instead of host.hostname 1479405 - [v2v] Drivers ISO filtering is broken 1479407 - Ansible inside Job times out even if the playbook is still running 1479409 - incorrect value used in stock automation wait_for_completion 1479414 - [v2v] Failures/Errors are not reflected at all in the Automate request messages 1479423 - Generic Service State Machine missing retry interval 1479437 - Azure inventory collection fails with missing instances for west-india region 1479453 - [v2v] operation always fail eventually, even in cases VM import was successful. 1479454 - [v2v] request timeout is very long (~2 days) 1479478 - VM Migrate State Machine does not correctly report migration errors. 1479481 - A deleted VM state do not change to Archived state 1479802 - Adding dialog for a new cloud volume doesn't show EBS storage manager 1479805 - Unable to provision against vmware with "multiple parents found" error 1479886 - After Applying ERRATA-RHSA-2017:1601 full refreshes are being trigged frequently 1479917 - Tag | Groups: Datastores is missing in "Host & Clusters" tree 1479920 - Hawkular verification - error message contains HTML tags 1479922 - The notification events are out of order 1479923 - [Embedded Ansible] - Unexpected error when clicking on Download summary icon 1479924 - Embedded Ansible worker has no icon in Diagnostics 1479925 - Button Group details page fields do not mention Group 1479926 - Button edit dialog title is incorrect 1479927 - Unable to perform power control operations on stack instance when navigated through stack summary page 1479929 - VM: Error when clicking on archived or orphaned VMware VM in VM explorer 1479931 - UX: Provisioning an ec2 instance image selection page has Type: "Image" splitted in two lines 1479935 - HTML5 Console: Toggle Full Screen Button Does not Work in Firefox 1479937 - Configuration Management Provider's Verify Peer Certificate setting doesn't get saved 1479938 - zones of sub region show up as zones appliances of a central region can move to 1479941 - Search field disappears when user clicks view selector after user input dialog on Compute->Infrastructure->All VMs page 1479943 - Adding an Automate Task schedule adds UTC to the last Attribute/Value pair 1479944 - User unable to tick the check boxes of the folder while assigning the Alert profile 1479959 - Unable to provision HyperV networking properly 1479972 - TypeError while refreshing a scvmm provider 1479976 - Refresh failed for VMware Provider in Cloudforms 4.5 1479978 - OpenStack cloud provider refresh error: Flavor could not be found 1479991 - Typo on Infra provider dashboard page 1479993 - Inconsistency between flash message when creating vs. deleting 1479994 - UI: "Unexpected error encountered" when Downloading report in text,csv and pdf format 1480000 - exception on attempt to open report with timelines "Operations VM Power On/Off Events for Last Week" 1480001 - [Embedded Ansible] URL is not validated while adding new Ansible Repository 1480002 - Broken navigation tree in the datastore details screen 1480007 - Provisions via Users in multiple groups in tenants in SSUI result in VMs being provisioned to wrong group/tenant 1480008 - Datasources Download .txt truncates host-name 1480286 - State Machine Changes when User Switches Groups During Provision in Admin UI 1480377 - [RHEVM]: VM snapshot: delete option is enabled, for Active VM 1480586 - [v2v] rephrase "Drivers ISO" label in the v2v dialog 1480588 - [v2v] Move the 'Transform this VM to RHV' option from 'Configuration' to 'Lifecycle' 1480589 - Reports type dashboard widgets cannot be minimized 1480654 - Duplicated users when changed the (upper,lower)case of letters of login name 1480734 - vm_retire_extend references vm.retirement which does not exist anymore, causing crash 1481296 - CloudForms REST API searching for reports by names that contain '>' fails with a '400 - Bad Request' 1481436 - In Utilisation graph for Pods and Containers the Rounding of metrics is inconsistant 1481437 - [UI] - Unexpected error encountered when switching to 'Cloud Intel' main tab 1481439 - Duplicate flash message in Optimize/Bottlenecks 1481442 - duplicate status messages when saving automate methods 1481445 - Ansible Automation: missing group id in manageiq payload 1481449 - Instance Type on Provision Instances remains empty after adding flavor which has disk size of 0 1481450 - Unable to provision against vmware due to "unknown method xsiType" 1481845 - Delete a Template in RHEV that a Catalog uses, no indication in logs or UI when Catalog Ordered 1481846 - appliance_console_cli doesn't handle ipa registration if the password has a '$' in it 1481849 - "Page does not exist" when clicked on Service Catalog item breadcrumb link from stack page 1481851 - Internal Server Error when creating schedule for automate task 1481853 - Drop down history toolbar button on Import/Export report page is not needed, should be removed. 1482131 - Title displayed in add button page is wrong 1482136 - CFME OpenStack provider missing options to set VLAN or Segmentation ID 1482148 - Missing Icon of power state - migrating 1482170 - unable to provision against openstack with a volume attached 1482666 - Cannot edit Ansible Repository 1482667 - sat6 save button broken after changing rhsm details to sat6 setup 1482668 - prov.set_host fails on 4.5.1 (5.8.1.5.20170725160636_e433fc0) 1482669 - setting hostname through appliance console throws error on ipv6 only env 1482670 - Workers processing a miq_queue message that exceed the memory threshold aren't given enough time to exit gracefully 1484373 - Reports are not generated by API call 1484374 - Failure to collect metrics of Window instances on Azure 1484385 - Setting VM ownership on more than 100 VMs at a time causing server error status 400 bad request 1484424 - [Embedded Ansible] Failed Repository does not show up in All Repositories Table on /ansible_repository/show_list 1484539 - Custom button not passing target object to dynamic dialog fields 1484548 - [RFE] Add config option to skip container_images 1484608 - SUI : The VM status shows "retired" for all VM's ,retired or not. 1484613 - RHEVM Target Refresh Completes Even Though Storage Domain Error is Thrown 1484895 - Reports - pods per ready status - nonexistent pods presented 1484901 - [RFE] Include EvmRole-reader as read-only role in the fixtures 1484904 - Tower version 2 may fail refresh 1484956 - [v2v] 'Drivers ISO' field is not removed when 'install drivers' is unchecked. 1484984 - [RFE] The azure image as built cannot be used in azure. 1485474 - CVE-2017-12148 Ansible Tower modification of git hooks in SCM repo via upstream playbook execution 1486351 - Service order request for VM provision from template fail on SSL Certificate verification 1486474 - Locale dropdown menu does not have Portuguese 1487283 - Refresh fails: undefined method `[]' for nil:NilClass in `parse_image_name' 1487320 - Unable to access filter tab while Editing chargeback for projects report 1487689 - duplicate users get created from ldap logins 1488967 - Need to verify that SSA works with Azure Managed Storage 1489974 - Unable to login to Amazon account. 1491310 - Smart state analysis on a running vm on Azure doesn't work 1492840 - [UI][Services] - Not all catalog items shown in Service catalogs accordion tree 1493207 - Add miq_provision_quota_mixin to Service Template Provision Request service model. 1494561 - Save only used OpenShift images with labels/tags 1496912 - Proxy configuration does not work in restricted IPV6 only environment 1496946 - setting a dynamic dialog to "required = True" is not saved 1497746 - Editing Name of a Category via API breaks Chargeback Assignments 1497817 - Appliance doesn't start after upgrading from 5.7.4.0 to 5.8.2.0 1497835 - Tag/Networks: Cloud Network list is available for restricted user, if Network manager was tagged 1498230 - [Regression] appliance_console not enabling all required SCAP rules. 1498556 - Azure Smart State on Image results error "Unable to mount filesystem. Reason:[undefined method `split' for nil:NilClass" in evm.log 1499868 - DB/LDAP User is not able to log into SSUI 1500049 - Cannot add Azure provider to CloudForms 4.2 1500051 - Azure refreshes fail with [NameError]: wrong constant name $default 1500053 - Cloudforms AWS image with Azure provider fails to discover entire environment 1502738 - Dynamic refresh ignored on Service Dialog elements if clicking submit without clicking out of refresh trigger element first 6. Package List: CloudForms Management Engine 5.8: Source: cfme-5.8.2.3-1.el7cf.src.rpm cfme-appliance-5.8.2.3-1.el7cf.src.rpm cfme-gemset-5.8.2.3-1.el7cf.src.rpm rabbitmq-server-3.6.9-1.el7at.src.rpm rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.src.rpm supervisor-3.1.4-1.el7.src.rpm noarch: rabbitmq-server-3.6.9-1.el7at.noarch.rpm supervisor-3.1.4-1.el7.noarch.rpm x86_64: ansible-tower-server-3.1.5-1.el7at.x86_64.rpm ansible-tower-setup-3.1.5-1.el7at.x86_64.rpm cfme-5.8.2.3-1.el7cf.x86_64.rpm cfme-appliance-5.8.2.3-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.8.2.3-1.el7cf.x86_64.rpm cfme-debuginfo-5.8.2.3-1.el7cf.x86_64.rpm cfme-gemset-5.8.2.3-1.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-debuginfo-1.8.1-2.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-doc-1.8.1-2.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-11610 https://access.redhat.com/security/cve/CVE-2017-12148 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html/release_notes/index#red_hat_cloudforms_4_5_2 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZ7obfXlSAg2UNWIIRAqPrAJ4+V6vCPvuuA5uZXoIaMnmU+stPdwCggCdG Iauqp+TU+nVpaAmy4D675Ic= =QGyU -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce