-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: CloudForms 4.6.3 bug fix and enhancement update Advisory ID: RHSA-2018:2184-01 Product: Red Hat CloudForms Advisory URL: https://access.redhat.com/errata/RHSA-2018:2184 Issue date: 2018-07-12 Cross references: RHSA-2018:1328 CVE Names: CVE-2018-10855 ==================================================================== 1. Summary: An update is now available for CloudForms Management Engine 5.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.9 - noarch, x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Security fix(es): * ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs (CVE-2018-10855) Red Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for reporting these issues. For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1536677 - Simultaneous service catalog request do not honour quotas 1553227 - When editing ansible service catalog item the dialog radio button never appears 1553383 - [RFE] Switch default refresh to graph refresh for RHV provider 1553795 - [RFE] Move database maintenance to the application 1563745 - appliance console showing removed option db maintenance 1565845 - Service buttons do not attach $evm.root['service'] 1565925 - The value that is selected in the drop down is not passed to the $evm.root 1566570 - If the external network provider is unavailable CFME network provider throws unfriendly exception 1569170 - Help Documentation is only visible to users with super admin role 1571303 - [Regression] Unexpected error while opening GCE details page 1572760 - OSPD 13 Undercloud - Infrastructure Provider Network Manager does not refreshed 1574154 - Refresh Failing for VMware VIM object is too large 1574569 - OSPD 12 Undercloud - Infrastructure Provider refresh failed 1575713 - Unable to access the Help Documentation page due to "Authorization Error" 1576099 - total costs no longer showing in any chargeback report if they are the only columns in the report 1577247 - ansible-tower-setup installs several new non-Red Hat yum repositories 1578121 - [RHV] SSA is not retrieving file information from VM on RHV 1578124 - Incorrect storage type size in openstack cloud reports 1578125 - Cloud Volume creation error does not raise VM provision error 1578126 - VMDB backup is failing perhaps due to uninitialized constant MiqServer::WorkerManagement::Monitor::Dalli 1578388 - RHOSP11 metric collection stuck with error: Fog::Metric::OpenStack::NotFound 1578393 - Improving the error message of provisioning a VM via rest api with wrong vlan value 1578394 - openstack chargeback based on chargeback per vm does not show storage costs by storage types correctly 1578398 - Openshift container retirement 1578400 - Cannot create or edit report secondary (display) filter 1578856 - Compliance check is greyed out under VM summary screen when VM is selected but not when you click on the VM. 1578865 - Error upon successful SAML login when username contains capital letters 1578954 - Submit/Cancel buttons are not displayed on custom button dialogs for some service types 1578957 - Unable to restore database to any ha node in a cluster 1578964 - Create Volume failed: undefined method `my_zone' 1578972 - [QEDevCollab] C&U: discrepancy in rounding of data for Graphs and Table causing automation failures 1578976 - [Regression][Embedded Ansible] Ansible Catalog Item can be created without the Dialog 1578986 - "Choose" should be shown in 'tag control' dropdown default value , instead blank is shown. 1578990 - SUI does not show custom button dialog 1578996 - [RHV] When Graph refresh is ON, RHV provider refresh time is longer 1580520 - Adding interface to a router cause Unexpected error 1580535 - Refresh of a second dynamic dialog does not update the hash passed to $evm.object['values'] when another dialog is referenced 1581287 - [RHV] VM snapshot removal cause failure in RHV provider refresh 1581307 - When using dynamic multi select dialog elements the first element is always selected even if nil default is specified and it does not show up as selected in UI 1581386 - Dynamic dropdown doesn't refresh correctly 1583704 - default selection of dropdown list is not displayed properly but still taken into account 1583710 - Unexpected Error when accessing SERVICE -> REQUESTS (undefined method find_tags_by_grouping) 1583777 - VMware vCloud Provider's vApp Provisioning Reports Error When vApp Powered Off 1583779 - Tagging Ansible: Incorrect tag page opened for playbooks navigated through repository page 1583784 - xClarity: Wrong credentials and last refresh status when execute refresh cycle against a provider with invalid credentials 1583786 - chargeback reports based on vms with tags assigned show no records on generation 1583788 - UI Worker Exceeding Memory Trying to View Hosts for VMware Provider 1583851 - Ansible Job Times out at 300 seconds causing Automate State Machine to Fail 1584186 - CPU Utilization report graph shows dates on x axis in random order 1584296 - VMware vCloud Provider's Provisioning dialog should be split in three tabs 1584406 - prov.set_vlan() method didn't set the vnicprofiles identifier 1584687 - refresh_target_for_ems is not running in one of our environments 1584699 - VMware vCloud Provider's VM should support hardware reconfigure 1585709 - Service dialog targeted element refresh is refreshing targeted items 22 times 1585745 - automation executed on field refresh are called twice in self service dialogs 1585821 - C&U data collection fails for GCE in 5.9 1586213 - Notification events are out of order 1588038 - RHV Snapshots: Reverting to "Active VM" throws "Cannot preview Active VM snapshot" in evm.log 1588042 - vm.hardware.nics[0].lan nil for RHV VMs 1588855 - CVE-2018-10855 ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs 1589837 - unable to export all service dialogs 1590346 - 400 Bad Request: When custom button used from infra provider object type with method and dialog both attached 1590353 - dropdown changed from dynamic to static won't hold values 1590426 - [Embedded Ansible] Service Details Page has duplicate tabs 1590430 - [RFE] Create a built-in policy to prevent source VM from starting if transformation is complete. 1590846 - [RFE] create database.yml when creating a dedicated database to allow local migrations when upgrading 1591422 - Proxy Error when performing advanced search 1591423 - Physical Infrastructure Compliance Policies don't have default event 1591425 - reading a dialog element from another dialog dynamic element fails until refreshing the dynamic element that reads the other dialog element 1591427 - Slow performance with displaying catalog order dialog 1591429 - CloudForms not collecting node level data from OpenShift 1591450 - unable to migrate from 5.6 to 5.9 due to to a database validation error 1591484 - Reconfigure service fields empty after deploying service 1591939 - Saved Report "2018-04-09 11:18:31 +03" not found, Schedule may have failed 1592414 - Not able to reconfigure VM 1592504 - [Regression] GCE provider refresh fails in CFME 5.9 1592852 - Grey background of grid view is styled differently in 5.9.2 1592913 - Changing number of UI Workers errors when using French or Japanese localization 1592973 - Domain prefix always included for Service Catalog Entry Points 1593677 - Chargeback scheduled report for the current month shows double rates and values as compared to previous one 1593684 - RHV provider full refresh fail on "undefined method `keys' for "":String 1593797 - Lifecycle VM Provision and Publish VM to Template Unusable/Slow 1594027 - reports do not generate with timeout errors in logs 1594268 - Drop Down Dialog Does Not Honor the Order of Values as they are Inputted 1594275 - Users can see items which they don't have permissions/access to under services they own 1594324 - Must Refresh UI to see Correct Tags of Datastore of vCenter VMware Provider 1594386 - Unable to download largest chargeback report on production 1594831 - The specify host values textbox is limited to 50 characters 1594833 - User defined custom attributes are deleted by RHV targeted refresh 1594839 - RHV provider target refresh fail on "undefined method `cluster'", right after VM removal 1595324 - Cloudforms Automation not executing properly when multiple pods are created or killed in a short timeframe. 1595418 - Provisioning embedded ansible service dialog fails 1595734 - Regression Unable to Edit order of Drop Down List Entries when Editing Service Dialog 1596248 - Creating OpenStack Router with user in a Tenant should list shared external networks 1596249 - Normal user cannot select shared OpenStack network during VM provision 1596314 - Openstack Volume Snapshots are appearing when we try to provision a instance via Lifecycle. 6. Package List: CloudForms Management Engine 5.9: Source: ansible-2.4.5.0-1.el7ae.src.rpm ansible-tower-3.2.5-1.el7at.src.rpm cfme-5.9.3.4-1.el7cf.src.rpm cfme-amazon-smartstate-5.9.3.4-1.el7cf.src.rpm cfme-appliance-5.9.3.4-1.el7cf.src.rpm cfme-gemset-5.9.3.4-1.el7cf.src.rpm httpd-configmap-generator-0.2.2-1.1.el7cf.src.rpm noarch: ansible-2.4.5.0-1.el7ae.noarch.rpm ansible-doc-2.4.5.0-1.el7ae.noarch.rpm x86_64: ansible-tower-3.2.5-1.el7at.x86_64.rpm ansible-tower-server-3.2.5-1.el7at.x86_64.rpm ansible-tower-setup-3.2.5-1.el7at.x86_64.rpm ansible-tower-ui-3.2.5-1.el7at.x86_64.rpm ansible-tower-venv-ansible-3.2.5-1.el7at.x86_64.rpm ansible-tower-venv-tower-3.2.5-1.el7at.x86_64.rpm cfme-5.9.3.4-1.el7cf.x86_64.rpm cfme-amazon-smartstate-5.9.3.4-1.el7cf.x86_64.rpm cfme-appliance-5.9.3.4-1.el7cf.x86_64.rpm cfme-appliance-common-5.9.3.4-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.9.3.4-1.el7cf.x86_64.rpm cfme-appliance-tools-5.9.3.4-1.el7cf.x86_64.rpm cfme-debuginfo-5.9.3.4-1.el7cf.x86_64.rpm cfme-gemset-5.9.3.4-1.el7cf.x86_64.rpm cfme-gemset-debuginfo-5.9.3.4-1.el7cf.x86_64.rpm httpd-configmap-generator-0.2.2-1.1.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-10855 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW0dUcdzjgjWX9erEAQgfIxAApzbwJYyGKIwc7OAqP6qbn9lsVASiQTMT ufQJx33VaZAYtfdt9GbTlkCcIX6QIojQBKt1nTQrq+ZzdhNVLpNvXF5kHMhrAhbE sYWflpjnIWMOZe00WraCxUeePxNWatIKhhmnen0J4YhWV8k1mbTLL3sgwK5M+kxA s3sr1pJtjd9E3OCXxSEOSQGD9LDrgaoW297toJx2zcKeI+Tb4TWy+zhBhsdAEfcW 25kwEIQPTCC764Z5M8wkbMxyWhc7ek/dRns6WpUloOdg+NlhsRvmGQl9DWKzmqob XVMvdV0C8CtqXY4NHFfscvf3CmOZMGIZzhYJ3bW7uLl765eotAcWeTGbtbZE5eiO 1LAKnTWx44esbPre/7bUce7jibxHEhroq7T/hk0jlvgd02/vPJeY6JKSxKcYxiPn WWEsruMeI/mKI6OuHbMIpB4Sp5pMPinjqKh/lv8uU1TtyyCxhPk34yJxoyGw7Zsc Y4XH8yatyyoZnPMM4BygJG+EC2m6lHbUxA84SS75RV9CtFIMAbvtavOtC5xRb8rZ A4ptn2FZTwz5vjxyfXVYpfc+FgEJReCLyMlw6+zvqPzo2xZe9nOz8FdxdcVLpfEf xL/g/5QN1I3j7TiCww/XzrXnerSEjikQ9YKcamqEIzbv+IRQSBelZIwVZjiBlIVm 2QNuyZNbBj8=dJ6P -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce