-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat CloudForms security, bug fix, and enhancement update Advisory ID: RHSA-2017:3484-01 Product: Red Hat CloudForms Advisory URL: https://access.redhat.com/errata/RHSA-2017:3484 Issue date: 2017-12-18 Cross references: RHSA-2017:1601 CVE Names: CVE-2017-2664 ===================================================================== 1. Summary: An update for cfme, cfme-appliance, and cfme-gemset is now available for CloudForms Management Engine 5.7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.7 - x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. CloudForms Management Engine Appliance. CloudForms Management Engine Gemset. Security Fix(es): * CloudForms lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails applications portion of CloudForms to escalate privileges. (CVE-2017-2664) This issue was discovered by Libor Pichler (Red Hat) and Martin Povolny (Red Hat). Additional Changes: This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1344690 - ActionController::RoutingError in automation simulation tree 1401560 - Missing buttons Graph view, Hybrid view, Table view and missing option Show full screen report 1424267 - selection doesn't move along with added/copied Condition in Control->Explorer->Policies treeview 1429962 - UI: VM "Edit Management Engine Relationship", 'Save' problem mal functionning 1435393 - CVE-2017-2664 CloudForms: lack of RBAC on various methods in web UI 1440105 - UI: Tasks are using an old icons for Task State. 1449404 - IE 11 on windows 7: On topology page entity icons are not displaying properly 1451831 - [Ansible Tower] - Ansible Tower Jobs - relationships table - undefined method when clicking on Service 1457979 - After killing reporting worker, report status still says Running 1458287 - Incorrect padding in Actions and Conditions selection screens 1460149 - [Ansible Tower] - Unexpected error when clicking on successful job 1460656 - WebUI:Tag Visibility - Ansible Tower Job Templates should honor tag visiblity 1460696 - HTML in node names of Control/Simulation tree 1460938 - Unexpected error encountered while clicking on "Download PDF" button on Switch page 1462104 - [Amazon EC2] - ManageIQ string in PDF filename of Network provider and in PDF title 1462146 - Access Web Console Cockpit not compatible with Windows VMs 1463265 - Missing id attribute on Cloud->Instance Edit form, Child VM MultiBoxSelect 1465077 - CFME collects C&U metrics even before resource creation 1465079 - report vm and instances field 'Provision.Request : Approved By' does not apply any styling 1465080 - The IP version (network protocol) is not displayed when editing cloud subnets 1465081 - Formatting of Provider summary PDF file generated from provider summary page is very broken 1465082 - [SDN][Tags] - Redirection to Network provider summary page page after tag is saved 1465083 - Tag Visibility | Cloud Stack: Tag is not added if stack list opened from provider detail page 1465084 - service now integrations for determining host_name return empty array 1465086 - Hourly metrics_## tables grow filling up the VMDB filesystem when real-time purges fail 1465088 - Service template provisioning request do not honour quotas 1465090 - "Items" keyword in the dropdown list values of Default Items Per Page in my settings 1465091 - [RFE] External Auth - AD - samba-common-tools and deps missing from appliance. 1465093 - The 'Assigned Filters' setting in the Settings->Access Control->Groups->[group name] only applies to 'Hosts & Clusters', and not the Network providers. 1465415 - Service Retirement not working properly for Orchestration Stacks due to missing zone. 1468593 - Check for blank password in database configuration to avoid postgres errors 1468606 - Azure refresh fails if provider has no orchestration stacks 1468612 - prevent two miq servers from starting 1468613 - Remote VNC/SPICE consoles lack logging when the remote endpoint is inaccessible 1468614 - Not able to retire VM/instance via API unless "Set Retirement Date" feature is checked for role 1468633 - websocket connection leaks causing failed connections 1469297 - Unable to select the Azure region UK South 1469703 - performance issue in openstack collection 1471201 - Replace nodejs010 with node from SCL in appliances 1471202 - Unable to save trusted forest Settings 1471204 - Not possible to refresh automate from GIT using API call 1471315 - Tag with Key 'Name' and a nil Value Breaks Refresh for AWS 1472364 - Productized border at top of page should be red not blue 1472381 - Ansible tower job templates filters are not displayed 1472383 - Deleted labels still show up in CFME after provider refresh 1472384 - Some container resources not cleaned up after removal from Openshift - research 1472806 - found as option in drop down service dialogs 1473271 - Raise MiqProvisionError if instance is in error state 1475020 - Drop Down List Dialog does not keep default value for Integer type 1475031 - After applying errata 5.7.3.2 some dialog field default values are missing in the self-service portal 1476270 - Validation Credentials fails for OSP 10 Provider with AD "domain" user 1476279 - OpenStack cloud provider refresh error: Flavor could not be found 1476284 - After Applying ERRATA-RHSA-2017:1601 full refreshes are being trigged frequently 1476296 - Unable to perform power control operations on stack instance when navigated through stack summary page 1476395 - OSP: when validating an account with access to many projects, it checks each, and times out 1477195 - AD with external auth, When doing group lookup for user group SID number is displayed instead of Group name 1477617 - Validation failed: Status is not included in the list 1477722 - Unable to provision against vmware with "multiple parents found" error 1477723 - zones of sub region show up as zones appliances of a central region can move to 1477725 - Search field disappears when user clicks view selector after user input dialog on Compute->Infrastructure->All VMs page 1477727 - Refresh failed for VMware Provider in Cloudforms 4.5 1478368 - User unable to tick the check boxes of the folder while assigning the Alert profile 1479377 - Provisioning to MS SCVMM Uses host.name instead of host.hostname 1479410 - incorrect value used in stock automation wait_for_completion 1480630 - prefetch_below_threshold? failure after AWS upgrade 1481743 - UI: "Unexpected error encountered" when Downloading report in text,csv and pdf format 1481859 - Provisions via Users in multiple groups in tenants in SSUI result in VMs being provisioned to wrong group/tenant 1481862 - Azure inventory collection fails with missing instances for west-india region 1481864 - Datasources Download .txt truncates host-name 1481865 - Unable to provision HyperV networking properly 1481867 - Unable to provision against vmware due to "unknown method xsiType" 1481870 - Quota not using cloud volumes in requested resource calculation. 1482151 - Missing Icon of power state - migrating 1482672 - Workers processing a miq_queue message that exceed the memory threshold aren't given enough time to exit gracefully 1484387 - Setting VM ownership on more than 100 VMs at a time causing server error status 400 bad request 1484541 - Custom button not passing target object to dynamic dialog fields 1484549 - [RFE] Add config option to skip container_images 1487280 - Refresh fails: undefined method `[]' for nil:NilClass in `parse_image_name' 1487289 - [RFE] Include EvmRole-reader as read-only role in the fixtures 1487297 - [RFE] The azure image as built cannot be used in azure. 1487307 - Unable to perform any actions on cloud objects from list view when navigated to cloud tenants 1487321 - Unable to access filter tab while Editing chargeback for projects report 1487323 - Save only used OpenShift images with labels/tags 1487686 - Drop down history toolbar button on Import/Export report page is not needed, should be removed. 1487694 - UI elements not loading and reporting widgets not showing data points 1490434 - Clicking x button in search box doesn't remove the search 1491576 - [Regression] Unable to assign actions to a policy 1492158 - Quota management doesn't work according the expected 1492867 - Dashboard shows 2 for "retiring soon" services but clicking on that link shows None 1493700 - HTML5 VNC Remote Console: Remove VNC proxy from the UI 1494189 - vc refreshes are preventing full refreshes 1495971 - setting a dynamic dialog to "required = True" is not saved 1496597 - Setting memory_reserve lower than vm_memory failed 1497522 - Deleted VM is moved to status Orphan, though it should move to Archived. 1497748 - Editing Name of a Category via API breaks Chargeback Assignments 1498095 - Tag/Networks: Cloud Network list is available for restricted user, if Network manager was tagged 1498131 - It allows me to have filter with same name twice when loading global filter 1498232 - [Regression] appliance_console not enabling all required SCAP rules. 1500050 - Cannot add Azure provider to CloudForms 4.2 1500052 - Azure refreshes fail with [NameError]: wrong constant name $default 1500067 - Cloudforms AWS image with Azure provider fails to discover entire environment 1500995 - Unable to initiate VM console in VMware environment with 6.5 VC and ESXi 6.5 1501478 - overwriting reports causes new runs of the report to not show data for some columns 1502739 - Dynamic refresh ignored on Service Dialog elements if clicking submit without clicking out of refresh trigger element first 1505417 - Records with duplicate timestamp in metrics rollup table 1505458 - UI: PDF Download button is missing from the infra provider summary page (it is displayed for cloud providers) 1505468 - Edit tags not working while navigating to instance through provider 1505546 - [EUWE] HTML5 Console Does Not Display From SSUI/OPS UI VMWare 1506626 - compute.instance.exists events 1509420 - Queue workers are frequently querying pg_backend_pid 1517712 - Storage Volume Attach give Unexpected Error 1521043 - Azure NetworkManager refresh failure with "undefined method `source_address_prefix'" error 6. Package List: CloudForms Management Engine 5.7: Source: cfme-5.7.4.2-1.el7cf.src.rpm cfme-appliance-5.7.4.2-1.el7cf.src.rpm cfme-gemset-5.7.4.2-1.el7cf.src.rpm rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.src.rpm x86_64: cfme-5.7.4.2-1.el7cf.x86_64.rpm cfme-appliance-5.7.4.2-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.7.4.2-1.el7cf.x86_64.rpm cfme-debuginfo-5.7.4.2-1.el7cf.x86_64.rpm cfme-gemset-5.7.4.2-1.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-debuginfo-1.8.1-2.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-doc-1.8.1-2.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-2664 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFaOCPCXlSAg2UNWIIRAoCOAJ4hDys8f7j0ds8NqSY+dulIXwI1WQCff+ze bGKOZPFsz5Gnxv0Rm3WWnrM= =wTln -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce