-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: CloudForms 4.6.2 bug fix and enhancement update Advisory ID: RHSA-2018:1328-01 Product: Red Hat CloudForms Advisory URL: https://access.redhat.com/errata/RHSA-2018:1328 Issue date: 2018-05-07 Cross references: RHBA-2018:0556 CVE Names: CVE-2018-1101 CVE-2018-1104 CVE-2018-7750 ===================================================================== 1. Summary: An update is now available for CloudForms Management Engine 5.9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.9 - noarch, x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Security Fix(es): * python-paramiko: Authentication bypass in transport.py (CVE-2018-7750) * ansible-tower: Privilege escalation flaw allows for organization admins to obtain system privileges (CVE-2018-1101) Red Hat would like to thank Graham Mainwaring of Red Hat for reporting CVE-2018-1101. * ansible-tower: Remote code execution by users with access to define variables in job templates (CVE-2018-1104) Red Hat would like to thank Simon VikstrAPm for reporting CVE-2018-1104. For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1495849 - [ALL_LANG] VM or Template comparison screen has untranslated entries. 1510499 - With RHV Graph refresh template numbers in Provider inventory does not get updated correctly. 1526086 - [ALL_LANG] Compute - Containers - Container Builds page has missing translations 1526088 - [ALL_LANG] Compute - Containers - Pods page has missing translations 1530680 - xClarity: EvmRole-operator unable to view physical server summary page 1530760 - [ALL_LANG] Control - Explorer - Policy Profiles - All Policy Profiles : 'Policy' is not localized 1533220 - [ALL_LANG] Control - Explorer - Actions - All Actions - Configure - Add a new Action : 'Action Type' drop-down menu has untranslated entries 1533233 - On Tag Assignment page Category has other Tags than preconfigured for it 1533515 - [ALL_LANG] User Icon - Configuration - Access Control - Roles : Add new Role has untranslated entries 1538094 - [ALL_LANG] User Icon - Tasks : untranslated entry 1538100 - [ALL_LANG] User Icon - Configuration - Settings - CFME Region: Region xx[xx] has untranslated entry 1549625 - webui updates failing when a proxy is required 1549722 - WebUI: Tool tip displays html code while setting the ownership for multiple vm's 1550728 - Replication configuration page does not open when child database is down 1550730 - [Ansible Embedded] - Embedded Ansible cannot be enabled on IPv6 only appliance 1550736 - unable to view quotas without manage quota permissoin being enabled in 5.8.2 1551692 - internal server error ActiveRecord::AssociationTypeMismatch when editing current_group 1551696 - Colons are unhandled in BaseModel key generation in AzureArmrest 1551698 - Not possible to configure GCE provider for new regions (southamerica-east1) on CFME 1551703 - RHOS: Unable to delete cloud tenant 1552266 - Duplicated choice exist in new alerts view 1552269 - Network router type string contains ManageIQ path 1552278 - Authentication issue for checking status of Task API via EvmRole_administrator privileged User 1552282 - [RFE] Make Automation State Machine Log Lines Uniform 1552288 - [RFE] Metrics for memory usage of AWS instances is missing from C&U 1552290 - AWS Smartstate Does Not Fail Gracefully if AMI To run Analysis Agent is Unavailable 1552301 - Azure Template to service Dialog conversion issue 1552303 - [Azure]Provision Multiple VMs with Public IP selection options 1552305 - GCE Region is useless in GCE Provider 1552323 - xClarity: server-host relationship to hosts managed by RHEV-M provider not created. 1552334 - Nuage provider name is always displayed as " Network Manager" on GUI 1552335 - EventCatcher is not restarted when Nuage provider is updated 1552671 - [RFE][XS-2] Add possibility to unregister a VM in RHV provider 1552673 - Cloudforms doesn't show IP of vms on vCloud provider 1552677 - VM does not have deletion event on its own timeline on vsphere55 1552704 - Default Docker Labels for Labeled Images in Chargeback Assignments 1552707 - Wrong error displayed when trying to add a group without a name 1552723 - Can't Manage Report Menu Accordions and Folders 1552735 - Filters not working properly in config mgmt configured systems 1552737 - UI: Broken bootstrapswitch design in custom button option of generic object 1552739 - [RFE] Expose Infra provider networks (RHOS) in host/node details 1552740 - [ALL_LANG] User Icon - Configuration - Settings - Schedules : Add a new Schedule page has untranslated entries 1552741 - Can't remove multiple instances or methods in UI. 1552743 - ui: Tabs switched When changing the System/Process type on add new button page 1552746 - typo in provider summary page: metrics type Hakular --> Hawkular 1552748 - [Embedded Ansible] Notification typo 1552753 - CFME Log lines in Diagnostics are divided into multiple lines 1552762 - Error when applying a filter in My Services from Adv search 1552763 - Remove Chargeback Rates field for Metering reports 1552776 - Auth MIQLDAP AD - miqldap_to_sssd conversion fails for ldap. 1552782 - Smartstate on Azure Managed Linux Instance returns Unable to mount filesystem. Reason:[XFS::DirectoryDataHeader: Invalid Magic Number 0] 1552783 - Unable to add playbook repos after webui update 1552785 - Auth MIQLDAP AD - Users can't log in to console after miqldap_to_sssd conversion 1552790 - Validating credentials for replication throws error if pglogical schema not created 1552791 - miqldap_to_sssd help message is incorrect 1552792 - Auth External Auth SAML - Users with custom groups with special chars can't log in. 1552794 - A control alert for real time performance of a VM and Instance is not firing 1552796 - [RFE] Chargeback reports for OpenStack tenants 1552798 - [Providers] - Instances not linked after provider removal/addition 1552800 - Retirement requester is not passed down correctly to automate 1552801 - RBAC doesn't work for notifications 1552802 - No notification for failed registration 1552804 - configure_server_settings.rb changes numeric values to strings, causing failures when other code is expecting integers 1552809 - [RFE] Support RestAPI Primary Collection for Containers (object) 1552817 - SUI doesn't display costs for SCVMM services 1552824 - Can Add Duplicate Custom Attributes on OpenShift Provider Via the API 1552826 - internal server error when cloud_networks, cloud_subnets or security_groups subcolls requested on RHEVM 1552828 - internal server error when accessing attributes of the "picture" resource 1552838 - Targeted folder refresh doesn't work on VMware 1552842 - Customize vApp template prior provisioning (VMware vCloud Provider) 1552873 - RBAC Users can be removed from all associated groups after the webui shows the error "A User must be assigned to a Group" 1552879 - Tagging broken in Datastores and My Services page 1552880 - [RFE] There is no any indication in replication subscription screen for not accessible remote node 1552882 - The quad-icon tile for an OpenShift provider shows an exclamation mark, but a mouseover shows "Refresh Status: Success" 1552884 - Cursor on password field instead of username when we enter incorrect login details 1552886 - Unwanted comma in disk type string for Azure instances 1552889 - containers: identical volume name for different volumes in different pods is not useful for users (at least not admin) 1552890 - Tagging: Edit tags page doesn't open for network list items navigated through parent details page 1552895 - Error updating Nuage provider 1552900 - Title does not update when searching text in Datastores and other pages 1552903 - Automate tree in the left pane has duplicates following any copy operation (instance, class, namespace) 1552904 - The accordion folds after adding a schedule 1552908 - Add button is not responsive on Role add page 1553191 - Timelines: Throws an error while trying to access Cloud Intel/Timelines 1553197 - Configuration -> Red Hat Updates tab does not list all required repositories 1553214 - JavaScript-UI: Wrong behavior of `display on button` checkbox while editing custom group form 1553224 - Set Ownership can not be changed back to default 1553241 - Container add provider empty flash message when not catch UI exception 1553242 - Tag: All Catalog Items are listed in resource dropdown while creating Catalog Bundle using restricted user 1553243 - Save button isn't activated when date is removed in VM "Set/Remove retirement date" 1553244 - [QEDevCollab] Components in 'Add button group' form causing test automation failures 1553251 - Chargeback Rates page title incorrect after deleting rate 1553288 - Flash message icon is not correct Bottlenecks page 1553295 - Unable to perform SSA if Vm storage is fileshare on SCVMM and throws error in evm.log 1553304 - Evacuate Host failed 1553307 - Undefined method `vmm_version' for nil:NilClass on VM summary screen 1553309 - [RFE] Generic objects not displayed 1553311 - Wrong 'Fixed IPs' font size while adding a router with external gateway 1553315 - C & U Collection settings in configuration page improper styling 1553316 - On schedules pages is shown pagination from analysis profiles 1553317 - Broken footer in alerts 1553319 - [RFE][S-3] UI displays disabled domains for a instance's domain priority 1553322 - audit.log should not contain translated messages 1553323 - Adding Interface to Router with user in Tenant show all Subnets and not only the Tenant's Subnet 1553326 - Switch icon is missed on tag assignment page 1553327 - Stack Outputs icon is not displayed 1553329 - Using webmks console one cannot type correctly the password when it contains special characters 1553336 - Default view settings fails for service catalogs 1553340 - [CONDITION] When we leave description blank, there are two identical flash messages. 1553345 - Openstack infra provider dashboard should not appear for an openstack infra provider 1553362 - Add miqssh utilities 1553384 - [RHV] VM Reconfigure: Down VM Memory increase fail on cannot exceed maximum memory 1553389 - VMware vCloud Provider's VM is only partially stopped/suspended 1553392 - EvmRole-auditor can perform actions on VM 1553393 - [RFE] Add RBAC and Tagging Support to Ansible Credentials. 1553396 - [RFE] Add RBAC and Tagging Support to Ansible Repos 1553397 - Error while checking that migrations are up to date 1553399 - Normalize text for operational alerts 1553480 - SUI : Clicking any link on dashboard does not change the navigation in left side 1553482 - Kebab menu appearing differently on service page and resource detail pages 1553483 - Kebab menu changes structure after 30 seconds in SSUI resource detail page 1553768 - [RFE] Add RBAC and Tagging Support to Ansible Playbooks 1553776 - Role inconsistency with privileges when creating reports and setting chargeback filters 1553779 - Restricted user can see all group and users 1553780 - notifications do not get cleared from the notification table 1553789 - Unable to add tag for configuration provider from 'All Rad Hat Satellites Providers' 1553791 - xClarity: Physical server summary page download as PDF button not supported 1553836 - Visibility expression does not evaluated correctly on custom buttons for Generic Object 1553873 - Missing Datastore Images 1553903 - [Regression] Backup/restore failing on appliances using pglogical 1554358 - Graph refresh should not be used for rhv36 providers 1554370 - Wrong breadcrumb link on order screen 1554454 - Adding a physical provider shows as infrastructure provider (text change) 1554532 - Schedule report fails to send mail when report is not empty 1554541 - Long time to refresh network provider on OpenStack 1554823 - Infinite spinner on Edit Playbook Reset button 1554825 - NTP server details doesn't show in UI after adding a new zone 1554832 - Automatic placement causes cloud tenant to not be selectable 1554839 - Policy simulation results are not displayed 1554889 - OpenStack Cinder Storage provider detail does not have link to Volume Backups 1554898 - when deleting an archived node using configure > remove a unknown method error is raised 1554901 - Missing Guest OS in dashboard reports in Openstack 1557130 - CVE-2018-7750 python-paramiko: Authentication bypass in transport.py 1557353 - Adding a network router via CloudForms the router is not seen by CloudForms 1557361 - [RFE][XS-2]Cloudforms does not show node hostname, only GUID for OpenStack Infrastructure Provider 1557367 - Request not required when adding Schedule 1557378 - [UI] There is no indication of cloud network delete operation 1557380 - Tagging: Edit tags page doesn't open for images opened from provider summary page 1557388 - Inconsistent capitalization of 'CPU' when creating chargeback rate 1557391 - Physical Infrastructure provider quadicons doesn't support single view 1557400 - Physical server quadicon switch under My Settings doesn't respect RBAC rules 1558030 - internal server error when accessing the "policy_events" attribute of the "vms" resource 1558038 - AWS flavor list is out of date 1558040 - Not able to scan instances in AWS 1558046 - OpenStack - Include Provider Error Message in MiqProvisionFailure 1558048 - Provision fails if no Subnet assigned not Cloud Network 1558078 - [RFE][M-5] Targeted Refresh for Azure Provider 1558092 - Dropdown to delete a "not responding" server is missing 1558142 - Network provider quadicons doesn't support single view 1558144 - UI inconsistency - Size Unit title missing when adding a new disk 1558544 - Creating buttons under the Datastore objects do not appear on Datastore Details Pages 1558594 - No event AWS_EC2_Instance_UPDATE when renaming a VM on EC2 1558610 - Images from the webmks css causes CSP errors in browser console 1558621 - RedHat domain can be edited/deleted 1558626 - PG::InvalidTableDefinition: ERROR: cannot alter inherited column "resource_type 1559475 - CUI returning empty array when dialog without associations is saved 1559479 - [RFE] Add RHV Credential to Ansible Automation Inside 1559483 - CUI doesn't check dialog field associations 1559543 - [RFE] Metering Reports should provide Hours of Existence & Start and end time of VMs, Projects and Images 1559544 - [RFE] Collect Container Project Quota Historical data in Project Roll-up 1559550 - Regression Instance Method check_quota Throws Error 5.8.2 to 5.8.3 undefined method provisioned_storage 1559552 - Api::ServiceCatalogsController timeout error in multi-regional environment 1559609 - Amazon agent deployment has to choose the VPC which has attached gateway configuration 1559624 - Graph refresh does not fetch custom attributes 1560004 - [RFE] SCVMM provider refresh error message issue if provider user doesn't have access to VMM service 1560096 - Error occurs when trying to edit a catalog item 1560098 - Outgoing SMTP E-mail Server settings not saved on first attempt 1560100 - Total matches of Ems Cluster roles showing wrong count 1560104 - Automate Schedule: "Starting time" field saves nonsense. 1560692 - Stop CF pestering OpenStack for Swift status when there is no Swift. 1560699 - Consolidated RefreshWorkers may cause job starvation 1560703 - Refresh is broken for ec2 when get_public_images is set to true 1560708 - My Company(All EVM Groups) filter missing from reports schedule 1561076 - Duplicate RBAC Role and Group names allowed when using different capitalization from the original name 1561079 - [Regression]Error with report policy event for the last 7 days 1561085 - [RFE] Azure Network router not displayed on CFMe 1561091 - List view displayed instead of grid on Manage Policies screen 1561096 - Default selected tag name / value mismatch when assigning tags 1561107 - ERROR -- : AnsibleTowerClient::Middleware::RaiseTowerError Response Body: {"detail"=>["'username' is not a valid field for Vault"]} 1561216 - Failure to refresh on OpenStack provider when Fog::Storage::OpenStack::File object has nil body attribute 1561218 - [RHV] PXE provision with Network "use template nics" fail on creating VM 1561222 - ping feature inconsistent with webui ping when database connectivity is lost 1562075 - Duplicate values are shown in dialog dropdown. 1562235 - Nics are Provisioned out of Order for VMware Service Provision 1562772 - tenant source_id compromisation after changing provider credentials 1562777 - Approval permissions are not followed between different groups 1562779 - Cannot create service template using the API 1562780 - [SCVMM]Extract Running Processes completed Task List does not inform about Warnings. 1562782 - A state machine's on_exit method runs before the main method if the main method is an embedded Ansible playbook 1562785 - Refresh failed after performing vm_reconfiguration_task 1562788 - [Regression] RHV provider discovery doesn't work 1562791 - Database Replication broken for current and new regions 1562797 - CFME - usage of non standard special characters (e.g. accents) in password causes user is not able to login 1562800 - Schedule Operation: Cannot create schedule, "Add" button is not active 1562803 - [RFE] CFME, add Ansible GIT repository custom SSH port option 1562811 - No Advanced Search in Volume Snapshots/Backups 1563268 - CloudForms appliance is ignoring azure proxy settings in advanced tab. 1563351 - Nuage provider is unable to refresh inventory when subnets are missing gateway address 1563358 - Nuage Networks provider does not handle empty AMQP details 1563359 - Nuage Provider doesn't capture Alarms 1563361 - Nuage provider's event catcher yields "Too many open files" after 9 hours 1563363 - VMware vCloud Provider's inventoring fails because of bug in Disk parsing 1563364 - Support console access for VMware vCloud Provider's VMs 1563492 - CVE-2018-1101 ansible-tower: Privilege escalation flaw allows for organization admins to obtain system privileges 1563731 - in the conditions screen you see "Container Node" on the left but "Node" on the right 1563740 - ReconfigVM Event triggers a refresh_sync Holding Automate Process in State Machine 1565139 - Some expression method definitions can fail with "