Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2037 CloudForms 4.6.3 bug fix and enhancement update 13 July 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat CloudForms Publisher: Red Hat Operating System: Red Hat Impact/Access: Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-10855 Reference: ESB-2018.1805 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:2184 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: CloudForms 4.6.3 bug fix and enhancement update Advisory ID: RHSA-2018:2184-01 Product: Red Hat CloudForms Advisory URL: https://access.redhat.com/errata/RHSA-2018:2184 Issue date: 2018-07-12 Cross references: RHSA-2018:1328 CVE Names: CVE-2018-10855 ===================================================================== 1. Summary: An update is now available for CloudForms Management Engine 5.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.9 - noarch, x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Security fix(es): * ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs (CVE-2018-10855) Red Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for reporting these issues. For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1536677 - Simultaneous service catalog request do not honour quotas 1553227 - When editing ansible service catalog item the dialog radio button never appears 1553383 - [RFE] Switch default refresh to graph refresh for RHV provider 1553795 - [RFE] Move database maintenance to the application 1563745 - appliance console showing removed option db maintenance 1565845 - Service buttons do not attach $evm.root['service'] 1565925 - The value that is selected in the drop down is not passed to the $evm.root 1566570 - If the external network provider is unavailable CFME network provider throws unfriendly exception 1569170 - Help Documentation is only visible to users with super admin role 1571303 - [Regression] Unexpected error while opening GCE details page 1572760 - OSPD 13 Undercloud - Infrastructure Provider Network Manager does not refreshed 1574154 - Refresh Failing for VMware VIM object is too large 1574569 - OSPD 12 Undercloud - Infrastructure Provider refresh failed 1575713 - Unable to access the Help Documentation page due to "Authorization Error" 1576099 - total costs no longer showing in any chargeback report if they are the only columns in the report 1577247 - ansible-tower-setup installs several new non-Red Hat yum repositories 1578121 - [RHV] SSA is not retrieving file information from VM on RHV 1578124 - Incorrect storage type size in openstack cloud reports 1578125 - Cloud Volume creation error does not raise VM provision error 1578126 - VMDB backup is failing perhaps due to uninitialized constant MiqServer::WorkerManagement::Monitor::Dalli 1578388 - RHOSP11 metric collection stuck with error: Fog::Metric::OpenStack::NotFound 1578393 - Improving the error message of provisioning a VM via rest api with wrong vlan value 1578394 - openstack chargeback based on chargeback per vm does not show storage costs by storage types correctly 1578398 - Openshift container retirement 1578400 - Cannot create or edit report secondary (display) filter 1578856 - Compliance check is greyed out under VM summary screen when VM is selected but not when you click on the VM. 1578865 - Error upon successful SAML login when username contains capital letters 1578954 - Submit/Cancel buttons are not displayed on custom button dialogs for some service types 1578957 - Unable to restore database to any ha node in a cluster 1578964 - Create Volume failed: undefined method `my_zone' 1578972 - [QEDevCollab] C&U: discrepancy in rounding of data for Graphs and Table causing automation failures 1578976 - [Regression][Embedded Ansible] Ansible Catalog Item can be created without the Dialog 1578986 - "Choose" should be shown in 'tag control' dropdown default value , instead blank is shown. 1578990 - SUI does not show custom button dialog 1578996 - [RHV] When Graph refresh is ON, RHV provider refresh time is longer 1580520 - Adding interface to a router cause Unexpected error 1580535 - Refresh of a second dynamic dialog does not update the hash passed to $evm.object['values'] when another dialog is referenced 1581287 - [RHV] VM snapshot removal cause failure in RHV provider refresh 1581307 - When using dynamic multi select dialog elements the first element is always selected even if nil default is specified and it does not show up as selected in UI 1581386 - Dynamic dropdown doesn't refresh correctly 1583704 - default selection of dropdown list is not displayed properly but still taken into account 1583710 - Unexpected Error when accessing SERVICE -> REQUESTS (undefined method find_tags_by_grouping) 1583777 - VMware vCloud Provider's vApp Provisioning Reports Error When vApp Powered Off 1583779 - Tagging Ansible: Incorrect tag page opened for playbooks navigated through repository page 1583784 - xClarity: Wrong credentials and last refresh status when execute refresh cycle against a provider with invalid credentials 1583786 - chargeback reports based on vms with tags assigned show no records on generation 1583788 - UI Worker Exceeding Memory Trying to View Hosts for VMware Provider 1583851 - Ansible Job Times out at 300 seconds causing Automate State Machine to Fail 1584186 - CPU Utilization report graph shows dates on x axis in random order 1584296 - VMware vCloud Provider's Provisioning dialog should be split in three tabs 1584406 - prov.set_vlan() method didn't set the vnicprofiles identifier 1584687 - refresh_target_for_ems is not running in one of our environments 1584699 - VMware vCloud Provider's VM should support hardware reconfigure 1585709 - Service dialog targeted element refresh is refreshing targeted items 22 times 1585745 - automation executed on field refresh are called twice in self service dialogs 1585821 - C&U data collection fails for GCE in 5.9 1586213 - Notification events are out of order 1588038 - RHV Snapshots: Reverting to "Active VM" throws "Cannot preview Active VM snapshot" in evm.log 1588042 - vm.hardware.nics[0].lan nil for RHV VMs 1588855 - CVE-2018-10855 ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs 1589837 - unable to export all service dialogs 1590346 - 400 Bad Request: When custom button used from infra provider object type with method and dialog both attached 1590353 - dropdown changed from dynamic to static won't hold values 1590426 - [Embedded Ansible] Service Details Page has duplicate tabs 1590430 - [RFE] Create a built-in policy to prevent source VM from starting if transformation is complete. 1590846 - [RFE] create database.yml when creating a dedicated database to allow local migrations when upgrading 1591422 - Proxy Error when performing advanced search 1591423 - Physical Infrastructure Compliance Policies don't have default event 1591425 - reading a dialog element from another dialog dynamic element fails until refreshing the dynamic element that reads the other dialog element 1591427 - Slow performance with displaying catalog order dialog 1591429 - CloudForms not collecting node level data from OpenShift 1591450 - unable to migrate from 5.6 to 5.9 due to to a database validation error 1591484 - Reconfigure service fields empty after deploying service 1591939 - Saved Report "2018-04-09 11:18:31 +03" not found, Schedule may have failed 1592414 - Not able to reconfigure VM 1592504 - [Regression] GCE provider refresh fails in CFME 5.9 1592852 - Grey background of grid view is styled differently in 5.9.2 1592913 - Changing number of UI Workers errors when using French or Japanese localization 1592973 - Domain prefix always included for Service Catalog Entry Points 1593677 - Chargeback scheduled report for the current month shows double rates and values as compared to previous one 1593684 - RHV provider full refresh fail on "undefined method `keys' for "<some guid>":String 1593797 - Lifecycle VM Provision and Publish VM to Template Unusable/Slow 1594027 - reports do not generate with timeout errors in logs 1594268 - Drop Down Dialog Does Not Honor the Order of Values as they are Inputted 1594275 - Users can see items which they don't have permissions/access to under services they own 1594324 - Must Refresh UI to see Correct Tags of Datastore of vCenter VMware Provider 1594386 - Unable to download largest chargeback report on production 1594831 - The specify host values textbox is limited to 50 characters 1594833 - User defined custom attributes are deleted by RHV targeted refresh 1594839 - RHV provider target refresh fail on "undefined method `cluster'", right after VM removal 1595324 - Cloudforms Automation not executing properly when multiple pods are created or killed in a short timeframe. 1595418 - Provisioning embedded ansible service dialog fails 1595734 - Regression Unable to Edit order of Drop Down List Entries when Editing Service Dialog 1596248 - Creating OpenStack Router with user in a Tenant should list shared external networks 1596249 - Normal user cannot select shared OpenStack network during VM provision 1596314 - Openstack Volume Snapshots are appearing when we try to provision a instance via Lifecycle. 6. Package List: CloudForms Management Engine 5.9: Source: ansible-2.4.5.0-1.el7ae.src.rpm ansible-tower-3.2.5-1.el7at.src.rpm cfme-5.9.3.4-1.el7cf.src.rpm cfme-amazon-smartstate-5.9.3.4-1.el7cf.src.rpm cfme-appliance-5.9.3.4-1.el7cf.src.rpm cfme-gemset-5.9.3.4-1.el7cf.src.rpm httpd-configmap-generator-0.2.2-1.1.el7cf.src.rpm noarch: ansible-2.4.5.0-1.el7ae.noarch.rpm ansible-doc-2.4.5.0-1.el7ae.noarch.rpm x86_64: ansible-tower-3.2.5-1.el7at.x86_64.rpm ansible-tower-server-3.2.5-1.el7at.x86_64.rpm ansible-tower-setup-3.2.5-1.el7at.x86_64.rpm ansible-tower-ui-3.2.5-1.el7at.x86_64.rpm ansible-tower-venv-ansible-3.2.5-1.el7at.x86_64.rpm ansible-tower-venv-tower-3.2.5-1.el7at.x86_64.rpm cfme-5.9.3.4-1.el7cf.x86_64.rpm cfme-amazon-smartstate-5.9.3.4-1.el7cf.x86_64.rpm cfme-appliance-5.9.3.4-1.el7cf.x86_64.rpm cfme-appliance-common-5.9.3.4-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.9.3.4-1.el7cf.x86_64.rpm cfme-appliance-tools-5.9.3.4-1.el7cf.x86_64.rpm cfme-debuginfo-5.9.3.4-1.el7cf.x86_64.rpm cfme-gemset-5.9.3.4-1.el7cf.x86_64.rpm cfme-gemset-debuginfo-5.9.3.4-1.el7cf.x86_64.rpm httpd-configmap-generator-0.2.2-1.1.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-10855 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW0dUcdzjgjWX9erEAQgfIxAApzbwJYyGKIwc7OAqP6qbn9lsVASiQTMT ufQJx33VaZAYtfdt9GbTlkCcIX6QIojQBKt1nTQrq+ZzdhNVLpNvXF5kHMhrAhbE sYWflpjnIWMOZe00WraCxUeePxNWatIKhhmnen0J4YhWV8k1mbTLL3sgwK5M+kxA s3sr1pJtjd9E3OCXxSEOSQGD9LDrgaoW297toJx2zcKeI+Tb4TWy+zhBhsdAEfcW 25kwEIQPTCC764Z5M8wkbMxyWhc7ek/dRns6WpUloOdg+NlhsRvmGQl9DWKzmqob XVMvdV0C8CtqXY4NHFfscvf3CmOZMGIZzhYJ3bW7uLl765eotAcWeTGbtbZE5eiO 1LAKnTWx44esbPre/7bUce7jibxHEhroq7T/hk0jlvgd02/vPJeY6JKSxKcYxiPn WWEsruMeI/mKI6OuHbMIpB4Sp5pMPinjqKh/lv8uU1TtyyCxhPk34yJxoyGw7Zsc Y4XH8yatyyoZnPMM4BygJG+EC2m6lHbUxA84SS75RV9CtFIMAbvtavOtC5xRb8rZ A4ptn2FZTwz5vjxyfXVYpfc+FgEJReCLyMlw6+zvqPzo2xZe9nOz8FdxdcVLpfEf xL/g/5QN1I3j7TiCww/XzrXnerSEjikQ9YKcamqEIzbv+IRQSBelZIwVZjiBlIVm 2QNuyZNbBj8= =dJ6P - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW0flKGaOgq3Tt24GAQjOUg/9HcnCZVbQyBBmzJeSY4x7LPpdJMJ6o77s K4YIQwuKivCWVkDsD4DkeyJjyDNkwUsGVw/6bC9F3DC1nERAsE97IijkM+09ho1u BZ250uzYFe7ehT+ocU8UkySP5QmB+zl58IV/uYW2iciw6euswqvCEkODFV6fioSZ vjxok+Rq+sP/4DFZP+H8vbqixe3MwGlBTkUQ7SRZNrC2jnv8mF5eahViJb7d54VM GKwqQB025s0fleF+mfyruchFb9EKhhLMsFHdTwetPZg6OZDFj2RaIz/nJhImPf3g /RdW1XkJENOGYzLIQQ9w8/iJU0dup+R7KvPVEyhmTUW2+L/tpBAn68XF2ST6YKa3 zN7Y8Rnj0ZCznhJwW/W/1fKAdktIZwDyqlfEi+eRZlEYJ6JMAxtRJuNimBiMxdSr Lg9hvgB72PVYD7b1zVIeqh8o0ZesrK4Ry9H2q3VhjMu6yrvsesHaTkeoeZlCOEGt CRUf2O6n+++Plx9nMm+0LgeOKEiEUVbthBOWp4Knp4OvSdJVtndhXsfdq45BzP+G 30RZVGr4c7+/TMI3YmMEIfuoNb8cZxt5Bcy4/A5z7nBBBj3AcWkXv6WkjgE/7MKm MPGzFpLkIOrTxZT68+RxXwuXJky05ZVxTqFDpL0MtwMRxYZUXBv0ubTUsfeEzB3L H9T3Ao/q15o= =60U1 -----END PGP SIGNATURE-----