Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

  Important: Red Hat CloudForms security, bug fix, and enhancement update
                             19 December 2017


        AusCERT Security Bulletin Summary

Product:           Red Hat CloudForms
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-2664  

Reference:         ESB-2017.1913

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Important: Red Hat CloudForms security, bug fix, and enhancement update
Advisory ID:       RHSA-2017:3484-01
Product:           Red Hat CloudForms
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:3484
Issue date:        2017-12-18
Cross references:  RHSA-2017:1601
CVE Names:         CVE-2017-2664 

1. Summary:

An update for cfme, cfme-appliance, and cfme-gemset is now available for
CloudForms Management Engine 5.7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.7 - x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

CloudForms Management Engine Appliance.

CloudForms Management Engine Gemset.

Security Fix(es):

* CloudForms lacks RBAC controls on certain methods in the rails
application portion of CloudForms. An attacker with access could use a
variety of methods within the rails applications portion of CloudForms to
escalate privileges. (CVE-2017-2664)

This issue was discovered by Libor Pichler (Red Hat) and Martin Povolny
(Red Hat).

Additional Changes:

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes
document linked to in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:


5. Bugs fixed (https://bugzilla.redhat.com/):

1344690 - ActionController::RoutingError in automation simulation tree
1401560 - Missing buttons Graph view, Hybrid view, Table view and missing option Show full screen report
1424267 - selection doesn't move along with added/copied Condition in Control->Explorer->Policies treeview
1429962 - UI: VM  "Edit Management Engine Relationship", 'Save' problem mal functionning
1435393 - CVE-2017-2664 CloudForms: lack of RBAC on various methods in web UI
1440105 - UI: Tasks are using an old icons for Task State.
1449404 - IE 11 on windows 7: On topology page entity icons are not displaying properly
1451831 - [Ansible Tower] - Ansible Tower Jobs - relationships table - undefined method when clicking on Service
1457979 - After killing reporting worker, report status still says Running
1458287 - Incorrect padding in Actions and Conditions selection screens
1460149 - [Ansible Tower] - Unexpected error when clicking on successful job
1460656 - WebUI:Tag Visibility - Ansible Tower Job Templates should honor tag visiblity
1460696 - HTML in node names of Control/Simulation tree
1460938 - Unexpected error encountered while clicking on "Download PDF" button on Switch page
1462104 - [Amazon EC2] - ManageIQ string in PDF filename of Network provider and in PDF title
1462146 - Access Web Console Cockpit not compatible with Windows VMs
1463265 - Missing id attribute on Cloud->Instance Edit form, Child VM MultiBoxSelect
1465077 - CFME collects C&U metrics even before resource creation
1465079 - report vm and instances field 'Provision.Request : Approved By' does not apply any styling
1465080 - The IP version (network protocol) is not displayed when editing cloud subnets
1465081 - Formatting of Provider summary PDF file generated from provider summary page is very broken
1465082 - [SDN][Tags] - Redirection to Network provider summary page page after tag is saved
1465083 - Tag Visibility | Cloud Stack: Tag is not added if stack list opened from provider detail page
1465084 - service now integrations for determining host_name return empty array
1465086 - Hourly metrics_## tables grow filling up the VMDB filesystem when real-time purges fail
1465088 - Service template provisioning request do not honour quotas
1465090 - "Items" keyword in the dropdown list values of Default Items Per Page in my settings
1465091 - [RFE] External Auth - AD - samba-common-tools and deps missing from appliance.
1465093 - The 'Assigned Filters' setting in the Settings->Access Control->Groups->[group name] only applies to 'Hosts & Clusters', and not the Network providers.
1465415 - Service Retirement not working properly for Orchestration Stacks due to missing zone.
1468593 - Check for blank password in database configuration to avoid postgres errors
1468606 - Azure refresh fails if provider has no orchestration stacks
1468612 - prevent two miq servers from starting
1468613 - Remote VNC/SPICE consoles lack logging when the remote endpoint is inaccessible
1468614 - Not able to retire VM/instance via API unless "Set Retirement Date" feature is checked for role
1468633 - websocket connection leaks causing failed connections
1469297 - Unable to select the Azure region UK South
1469703 - performance issue in openstack collection
1471201 - Replace nodejs010 with node from SCL in appliances
1471202 - Unable to save trusted forest Settings
1471204 - Not possible to refresh automate from GIT using API call
1471315 - Tag with Key 'Name' and a nil Value Breaks Refresh for AWS
1472364 - Productized border at top of page should be red not blue
1472381 - Ansible tower job templates filters are not displayed
1472383 - Deleted labels still show up in CFME after provider refresh
1472384 - Some container resources not cleaned up after removal from Openshift - research
1472806 - <Choose> found as option in drop down service dialogs
1473271 - Raise MiqProvisionError if instance is in error state
1475020 - Drop Down List Dialog does not keep default value for Integer type
1475031 - After applying errata some dialog field default values are missing in the self-service portal
1476270 - Validation Credentials fails for OSP 10 Provider with AD "domain" user
1476279 - OpenStack cloud provider refresh error: Flavor <flavor id> could not be found
1476284 - After Applying ERRATA-RHSA-2017:1601 full refreshes are being trigged frequently
1476296 - Unable to perform power control operations on stack instance when navigated through stack summary page
1476395 - OSP: when validating an account with access to many projects, it checks each, and times out
1477195 - AD with external auth, When doing group lookup for user group SID number is displayed instead of Group name
1477617 - Validation failed: Status is not included in the list
1477722 - Unable to provision against vmware with "multiple parents found" error
1477723 - zones of sub region show up as zones appliances of a central region can move to
1477725 - Search field disappears when user clicks view selector after user input dialog on Compute->Infrastructure->All VMs page
1477727 - Refresh failed for VMware Provider in Cloudforms 4.5
1478368 - User unable to tick the check boxes of the folder while assigning the Alert profile
1479377 - Provisioning to MS SCVMM Uses host.name instead of host.hostname
1479410 - incorrect value used in stock automation wait_for_completion
1480630 - prefetch_below_threshold? failure after AWS upgrade
1481743 - UI: "Unexpected error encountered" when Downloading report in text,csv and pdf format
1481859 - Provisions via Users in multiple groups in tenants in SSUI result in VMs being provisioned to wrong group/tenant
1481862 - Azure inventory collection fails with missing instances for west-india region
1481864 - Datasources Download .txt truncates host-name
1481865 - Unable to provision HyperV networking properly
1481867 - Unable to provision against vmware due to "unknown method xsiType"
1481870 - Quota not using cloud volumes in requested resource calculation.
1482151 - Missing Icon of power state - migrating
1482672 - Workers processing a miq_queue message that exceed the memory threshold aren't given enough time to exit gracefully
1484387 - Setting VM ownership on more than 100 VMs at a time causing server error status 400 bad request
1484541 - Custom button not passing target object to dynamic dialog fields
1484549 - [RFE] Add config option to skip container_images
1487280 - Refresh fails: undefined method `[]' for nil:NilClass in `parse_image_name'
1487289 - [RFE] Include EvmRole-reader as read-only role in the fixtures
1487297 - [RFE] The azure image as built cannot be used in azure.
1487307 - Unable to perform any actions on cloud objects from list view when navigated to cloud tenants
1487321 - Unable to access filter tab while Editing chargeback for projects report
1487323 - Save only used OpenShift images with labels/tags
1487686 - Drop down history toolbar button on Import/Export report page is not needed, should be removed.
1487694 - UI elements not loading and reporting widgets not showing data points
1490434 - Clicking x button in search box  doesn't remove the search
1491576 - [Regression] Unable to assign actions to a policy
1492158 - Quota management doesn't work according the expected
1492867 - Dashboard shows 2 for "retiring soon" services but clicking on that link shows None
1493700 - HTML5 VNC Remote Console: Remove VNC proxy from the UI
1494189 - vc refreshes are preventing full refreshes
1495971 - setting a dynamic dialog to "required = True" is not saved
1496597 - Setting memory_reserve lower than vm_memory failed
1497522 - Deleted VM is moved to status Orphan, though it should move to Archived.
1497748 - Editing Name of a Category via API breaks Chargeback Assignments
1498095 - Tag/Networks: Cloud Network list is available for restricted user, if Network manager was tagged
1498131 - It allows me to have filter with same name twice when loading global filter
1498232 - [Regression] appliance_console not enabling all required SCAP rules.
1500050 - Cannot add Azure provider to CloudForms 4.2
1500052 - Azure refreshes fail with [NameError]: wrong constant name $default
1500067 - Cloudforms AWS image with Azure provider fails to discover entire environment
1500995 - Unable to initiate VM console in VMware environment with 6.5 VC and ESXi 6.5
1501478 - overwriting reports causes new runs of the report to not show data for some columns
1502739 - Dynamic refresh ignored on Service Dialog elements if clicking submit without clicking out of refresh trigger element first
1505417 - Records with duplicate timestamp in metrics rollup table
1505458 - UI: PDF Download button is missing from the infra provider summary page (it is displayed for cloud providers)
1505468 - Edit tags not working while navigating to instance through provider
1505546 - [EUWE] HTML5 Console Does Not Display From SSUI/OPS UI VMWare
1506626 - compute.instance.exists events
1509420 - Queue workers are frequently querying pg_backend_pid
1517712 - Storage Volume Attach give Unexpected Error
1521043 - Azure NetworkManager refresh failure with "undefined method `source_address_prefix'" error

6. Package List:

CloudForms Management Engine 5.7:



These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
Version: GnuPG v1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967