Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.3235 Important: Red Hat CloudForms security, bug fix, and enhancement update 19 December 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat CloudForms Publisher: Red Hat Operating System: Red Hat Impact/Access: Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-2664 Reference: ESB-2017.1913 Original Bulletin: https://access.redhat.com/errata/RHSA-2017:3484 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat CloudForms security, bug fix, and enhancement update Advisory ID: RHSA-2017:3484-01 Product: Red Hat CloudForms Advisory URL: https://access.redhat.com/errata/RHSA-2017:3484 Issue date: 2017-12-18 Cross references: RHSA-2017:1601 CVE Names: CVE-2017-2664 ===================================================================== 1. Summary: An update for cfme, cfme-appliance, and cfme-gemset is now available for CloudForms Management Engine 5.7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.7 - x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. CloudForms Management Engine Appliance. CloudForms Management Engine Gemset. Security Fix(es): * CloudForms lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails applications portion of CloudForms to escalate privileges. (CVE-2017-2664) This issue was discovered by Libor Pichler (Red Hat) and Martin Povolny (Red Hat). Additional Changes: This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1344690 - ActionController::RoutingError in automation simulation tree 1401560 - Missing buttons Graph view, Hybrid view, Table view and missing option Show full screen report 1424267 - selection doesn't move along with added/copied Condition in Control->Explorer->Policies treeview 1429962 - UI: VM "Edit Management Engine Relationship", 'Save' problem mal functionning 1435393 - CVE-2017-2664 CloudForms: lack of RBAC on various methods in web UI 1440105 - UI: Tasks are using an old icons for Task State. 1449404 - IE 11 on windows 7: On topology page entity icons are not displaying properly 1451831 - [Ansible Tower] - Ansible Tower Jobs - relationships table - undefined method when clicking on Service 1457979 - After killing reporting worker, report status still says Running 1458287 - Incorrect padding in Actions and Conditions selection screens 1460149 - [Ansible Tower] - Unexpected error when clicking on successful job 1460656 - WebUI:Tag Visibility - Ansible Tower Job Templates should honor tag visiblity 1460696 - HTML in node names of Control/Simulation tree 1460938 - Unexpected error encountered while clicking on "Download PDF" button on Switch page 1462104 - [Amazon EC2] - ManageIQ string in PDF filename of Network provider and in PDF title 1462146 - Access Web Console Cockpit not compatible with Windows VMs 1463265 - Missing id attribute on Cloud->Instance Edit form, Child VM MultiBoxSelect 1465077 - CFME collects C&U metrics even before resource creation 1465079 - report vm and instances field 'Provision.Request : Approved By' does not apply any styling 1465080 - The IP version (network protocol) is not displayed when editing cloud subnets 1465081 - Formatting of Provider summary PDF file generated from provider summary page is very broken 1465082 - [SDN][Tags] - Redirection to Network provider summary page page after tag is saved 1465083 - Tag Visibility | Cloud Stack: Tag is not added if stack list opened from provider detail page 1465084 - service now integrations for determining host_name return empty array 1465086 - Hourly metrics_## tables grow filling up the VMDB filesystem when real-time purges fail 1465088 - Service template provisioning request do not honour quotas 1465090 - "Items" keyword in the dropdown list values of Default Items Per Page in my settings 1465091 - [RFE] External Auth - AD - samba-common-tools and deps missing from appliance. 1465093 - The 'Assigned Filters' setting in the Settings->Access Control->Groups->[group name] only applies to 'Hosts & Clusters', and not the Network providers. 1465415 - Service Retirement not working properly for Orchestration Stacks due to missing zone. 1468593 - Check for blank password in database configuration to avoid postgres errors 1468606 - Azure refresh fails if provider has no orchestration stacks 1468612 - prevent two miq servers from starting 1468613 - Remote VNC/SPICE consoles lack logging when the remote endpoint is inaccessible 1468614 - Not able to retire VM/instance via API unless "Set Retirement Date" feature is checked for role 1468633 - websocket connection leaks causing failed connections 1469297 - Unable to select the Azure region UK South 1469703 - performance issue in openstack collection 1471201 - Replace nodejs010 with node from SCL in appliances 1471202 - Unable to save trusted forest Settings 1471204 - Not possible to refresh automate from GIT using API call 1471315 - Tag with Key 'Name' and a nil Value Breaks Refresh for AWS 1472364 - Productized border at top of page should be red not blue 1472381 - Ansible tower job templates filters are not displayed 1472383 - Deleted labels still show up in CFME after provider refresh 1472384 - Some container resources not cleaned up after removal from Openshift - research 1472806 - <Choose> found as option in drop down service dialogs 1473271 - Raise MiqProvisionError if instance is in error state 1475020 - Drop Down List Dialog does not keep default value for Integer type 1475031 - After applying errata 5.7.3.2 some dialog field default values are missing in the self-service portal 1476270 - Validation Credentials fails for OSP 10 Provider with AD "domain" user 1476279 - OpenStack cloud provider refresh error: Flavor <flavor id> could not be found 1476284 - After Applying ERRATA-RHSA-2017:1601 full refreshes are being trigged frequently 1476296 - Unable to perform power control operations on stack instance when navigated through stack summary page 1476395 - OSP: when validating an account with access to many projects, it checks each, and times out 1477195 - AD with external auth, When doing group lookup for user group SID number is displayed instead of Group name 1477617 - Validation failed: Status is not included in the list 1477722 - Unable to provision against vmware with "multiple parents found" error 1477723 - zones of sub region show up as zones appliances of a central region can move to 1477725 - Search field disappears when user clicks view selector after user input dialog on Compute->Infrastructure->All VMs page 1477727 - Refresh failed for VMware Provider in Cloudforms 4.5 1478368 - User unable to tick the check boxes of the folder while assigning the Alert profile 1479377 - Provisioning to MS SCVMM Uses host.name instead of host.hostname 1479410 - incorrect value used in stock automation wait_for_completion 1480630 - prefetch_below_threshold? failure after AWS upgrade 1481743 - UI: "Unexpected error encountered" when Downloading report in text,csv and pdf format 1481859 - Provisions via Users in multiple groups in tenants in SSUI result in VMs being provisioned to wrong group/tenant 1481862 - Azure inventory collection fails with missing instances for west-india region 1481864 - Datasources Download .txt truncates host-name 1481865 - Unable to provision HyperV networking properly 1481867 - Unable to provision against vmware due to "unknown method xsiType" 1481870 - Quota not using cloud volumes in requested resource calculation. 1482151 - Missing Icon of power state - migrating 1482672 - Workers processing a miq_queue message that exceed the memory threshold aren't given enough time to exit gracefully 1484387 - Setting VM ownership on more than 100 VMs at a time causing server error status 400 bad request 1484541 - Custom button not passing target object to dynamic dialog fields 1484549 - [RFE] Add config option to skip container_images 1487280 - Refresh fails: undefined method `[]' for nil:NilClass in `parse_image_name' 1487289 - [RFE] Include EvmRole-reader as read-only role in the fixtures 1487297 - [RFE] The azure image as built cannot be used in azure. 1487307 - Unable to perform any actions on cloud objects from list view when navigated to cloud tenants 1487321 - Unable to access filter tab while Editing chargeback for projects report 1487323 - Save only used OpenShift images with labels/tags 1487686 - Drop down history toolbar button on Import/Export report page is not needed, should be removed. 1487694 - UI elements not loading and reporting widgets not showing data points 1490434 - Clicking x button in search box doesn't remove the search 1491576 - [Regression] Unable to assign actions to a policy 1492158 - Quota management doesn't work according the expected 1492867 - Dashboard shows 2 for "retiring soon" services but clicking on that link shows None 1493700 - HTML5 VNC Remote Console: Remove VNC proxy from the UI 1494189 - vc refreshes are preventing full refreshes 1495971 - setting a dynamic dialog to "required = True" is not saved 1496597 - Setting memory_reserve lower than vm_memory failed 1497522 - Deleted VM is moved to status Orphan, though it should move to Archived. 1497748 - Editing Name of a Category via API breaks Chargeback Assignments 1498095 - Tag/Networks: Cloud Network list is available for restricted user, if Network manager was tagged 1498131 - It allows me to have filter with same name twice when loading global filter 1498232 - [Regression] appliance_console not enabling all required SCAP rules. 1500050 - Cannot add Azure provider to CloudForms 4.2 1500052 - Azure refreshes fail with [NameError]: wrong constant name $default 1500067 - Cloudforms AWS image with Azure provider fails to discover entire environment 1500995 - Unable to initiate VM console in VMware environment with 6.5 VC and ESXi 6.5 1501478 - overwriting reports causes new runs of the report to not show data for some columns 1502739 - Dynamic refresh ignored on Service Dialog elements if clicking submit without clicking out of refresh trigger element first 1505417 - Records with duplicate timestamp in metrics rollup table 1505458 - UI: PDF Download button is missing from the infra provider summary page (it is displayed for cloud providers) 1505468 - Edit tags not working while navigating to instance through provider 1505546 - [EUWE] HTML5 Console Does Not Display From SSUI/OPS UI VMWare 1506626 - compute.instance.exists events 1509420 - Queue workers are frequently querying pg_backend_pid 1517712 - Storage Volume Attach give Unexpected Error 1521043 - Azure NetworkManager refresh failure with "undefined method `source_address_prefix'" error 6. Package List: CloudForms Management Engine 5.7: Source: cfme-5.7.4.2-1.el7cf.src.rpm cfme-appliance-5.7.4.2-1.el7cf.src.rpm cfme-gemset-5.7.4.2-1.el7cf.src.rpm rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.src.rpm x86_64: cfme-5.7.4.2-1.el7cf.x86_64.rpm cfme-appliance-5.7.4.2-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.7.4.2-1.el7cf.x86_64.rpm cfme-debuginfo-5.7.4.2-1.el7cf.x86_64.rpm cfme-gemset-5.7.4.2-1.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-debuginfo-1.8.1-2.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-doc-1.8.1-2.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-2664 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFaOCPCXlSAg2UNWIIRAoCOAJ4hDys8f7j0ds8NqSY+dulIXwI1WQCff+ze bGKOZPFsz5Gnxv0Rm3WWnrM= =wTln - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWjiKc4x+lLeg9Ub1AQiqeA/+JC8zdWzhvAspu2ffBnOFUkwpJ4imFi5K kO9w+Xkp677ECRJ1IbgSLP3R7xH1WdYczRVzkS13Fbljh0AfMAcQbXXnW4B+NUfX pTW2ZAS6VerHVNfOO8vKQIy4ETA+qwOYfA8otXyJ7WcomIEgZI96NbQSDpg1/6ev BSchlPPy9tDDY7r5CqvK10UV/voJxsJ/4xi+1nmM9vMud11EwkeTzmAsC4uZoo1z csEmW5RikoLxG7raymKNGLgsCmywjoP6ucZq6Dc1j49NGHbBKN18dDE67u91MLL2 SAWPpLp8nqR11yGXOXP65My0O/O8rYN0ngoGsfl2ao+WAHxt2FUkfpjZaL6omE5q znYZeH42s2wCuYQ1UHOTpCeWOysVsBse4tp55l5vkBfZu9kwIDYOzUXYt4nE0jc8 mfgjLXAO8MPcH1nE7OT2tlWqL7AAKu0Rq8RTJZwn4oSOoMGJgKXlwMt+9aHdhO6a /Gi7sQzHN8RDT+K/BtHjwgBND3m83lZkMpKgN+eScjduYrGWDEGQ4faVp4CQO84+ xopI7/Cnbs8/N2waFRLQWPHrkct8jcOV22ZUWMCyg0lG8+cQh+cqEDzDiLUuuvIh +3HPWhHP9M5Fbs6VjzT6Ecfb9MmwWLSWCF88/LdsuNA/u/tKgPpcxTI+N5YTG20H LcGX3llVuJg= =J9sP -----END PGP SIGNATURE-----