Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.3156 Moderate: CFME 5.4.4 bug fixes, and enhancement update 17 December 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: CFME Publisher: Red Hat Operating System: Red Hat Impact/Access: Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-7502 Reference: ESB-2015.3078 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2015-2620.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: CFME 5.4.4 bug fixes, and enhancement update Advisory ID: RHSA-2015:2620-01 Product: Red Hat CloudForms Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2620.html Issue date: 2015-12-16 Cross references: RHBA-2014:19011 CVE Names: CVE-2015-7502 ===================================================================== 1. Summary: Updated cfme packages that fix a security issue, several bugs, and add various enhancements are now available for Red Hat CloudForms 3.2. Red Hat Product Security has rated this update as having Moderate Security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.4 - x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. A privilege escalation flaw was discovered in CloudForms, where in certain situations, CloudForms could read encrypted data from the database and then write decrypted data back into the database. If the database was then exported or log files generated, a local attacker might be able to gain access to sensitive information. (CVE-2015-7502) This update also fixes several bugs. Documentation for these changes is available in the Release Notes linked to in the References section. All CFME users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/ 5. Bugs fixed (https://bugzilla.redhat.com/): 1222659 - RHOS: Fleecing an image throws following error in evm.log file 1265757 - Reconfigure service button gives 404 1268320 - VM provision dialog shows incorrect cpu count for RHEV CFME templates 1268905 - Internal DB Password Configuration breaks when password contains non-alphanum characters 1268983 - No root fileystem found when running SSA on images in OSP with Ceph 1269380 - WEB-UI: "Action not implemented [vm_infra/explorer]" when navigating from MySettings page to Virtual Machines page 1270305 - Request: "'nil' is not an ActiveModel-compatible object" error when on approve request screen 1272484 - UI: Missing partial error when trying to view a Request 1273519 - UI: Reports Menu Editor - Does not display flash message to indicate that folder name already in use 1273535 - Changing the default filter settings and navigating to that page displays blank screen. 1275782 - Cloud Provisioning dialogs do not apply RBAC filtering to resources displayed in dialog fields 1276353 - CFME should not use OpenStack adminURL endpoints for any services 1276411 - [RFE] Provide VHD Image for Microsoft SCVMM support 1277624 - DateTime control returns the wrong date/time if the chosen date/time is in less that 1h 1278062 - Wrong breadcrumb path when navigating between Provider screens using dashboard maintab 1280342 - UI exception when sorting Host's users 1281850 - Dashboards are not displayed if a user only has "view" permission on dashboards 1283019 - CVE-2015-7502 CloudForms: insecure password storage in PostgreSQL database 1285065 - 5.4.4 missing product cert for rhscl 6. Package List: CloudForms Management Engine 5.4: Source: cfme-5.4.4.2-1.el6cf.src.rpm cfme-gemset-5.4.4.2-1.el6cf.src.rpm x86_64: cfme-5.4.4.2-1.el6cf.x86_64.rpm cfme-appliance-5.4.4.2-1.el6cf.x86_64.rpm cfme-debuginfo-5.4.4.2-1.el6cf.x86_64.rpm cfme-gemset-5.4.4.2-1.el6cf.x86_64.rpm cfme-lib-5.4.4.2-1.el6cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-7502 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_CloudForms/3.2/html/Release_Notes/index.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWcXw6XlSAg2UNWIIRAouGAKCSzSKH/6EFZ+N4cyD/xHPF5O3+XQCdEdtN Nxg24xFxcLthNODHswHbQmY= =jsmA - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVnH81n6ZAP0PgtI9AQKlkBAAgyzgvkTdfakUTOEgrBjzXxM5hpvBoXGT DD1byMWMe4AX2qcuAtrwJIG71htAwZ3VOU0peCemHvjqpdnGZzjKr99nN4Ko1UeM u2ho3K6f+L8oRXEyLByQlA8nLXP/iqb0g8SpiQ9cnYd6PQOX2klRfQQe83GYU1FM +46r3kW0Ah03Yd8rs06RvrJMDM4aSIya6tEJqy6vU/0fm7CoUmgECoJ5PBkbW57P 3lzJ0GKcVa/gS+Itmahdgo6IztqQA1b/3tn56uJAoDQXVJecxtN2g7yksiU2CwRt Aq/p9mNRr0VmGrAG1ADxRne8ujCjzxaFP5ZcT+ObHK0qSul3CgR8Dwzn1CTz+XBo uCR/SFmcDh8NvvJmjx0K7E7VYh6OTs40MJdz4mSBCxqZpTg4olB9BbGsuw0YU9sC h2YTqJ5RVq/th5DTCHgEEYoQiJAjVTa4vI76IgposTJoCILw772brP6FSUfgRah1 nnQ0PnyNfuDbelMAigvfZqw8H7/qVwxI0MpyLSz9MZTVaMPHoPt7MYt+WbgeW/p9 WVzmVIYuvZh+zaPCByevLwvRg6dlEbUwTxelmqTsRBRXIXJEo9dU1JrD/oyykok0 nwWdvBAPIHwUvtLqcVLlu6IEYYnwsqxUikg1Ln/bwbn6mF697g65R/obQ36k3HhX hg5MW7ht6ZU= =5IPi -----END PGP SIGNATURE-----