-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Important: CloudForms 4.6.4 security, bug fix, and enhancement update
5 September 2018
AusCERT Security Bulletin Summary
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux Server 6
Impact/Access: Root Compromise -- Existing Account
Read-only Data Access -- Remote/Unauthenticated
CVE Names: CVE-2018-10905 CVE-2018-3760
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Red Hat Security Advisory
Synopsis: Important: CloudForms 4.6.4 security, bug fix, and enhancement update
Advisory ID: RHSA-2018:2561-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2561
Issue date: 2018-09-04
Cross references: RHSA-2018:34177
CVE Names: CVE-2018-3760 CVE-2018-10905
An update is now available for CloudForms Management Engine 5.9.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
CloudForms Management Engine 5.9 - noarch, x86_64
Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.
* cfme: Improper access control in dRuby allows local users to execute
arbitrary commands as root (CVE-2018-10905)
* rubygem-sprockets: Path traversal in forbidden_request?() can allow
remote attackers to read arbitrary files (CVE-2018-3760)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Red Hat would like to thank Stephen Gappinger (American Express) for
This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
5. Bugs fixed (https://bugzilla.redhat.com/):
1565259 - Requests originating from the API contain no 'userid' attribute in $evm.root
1588527 - Service dialog text, dialog element and button layout/spacing is incorrect in CloudForms 4.6
1591494 - [RFE] Add configuratble vhost to AMQP monitor
1591495 - Tag Expression form:The newly added category does't appear in expression form
1591496 - Expression methods can not access Flavor tags
1591497 - VMware Add Provider can validate VMRC Console credentials successfully for non-existing User
1593058 - CVE-2018-3760 rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files
1595416 - User that calls refresh automation domain from git branch is not correct user in UI
1595445 - Copying a method does not copy embedded methods that have been added
1595447 - Satellite credential validation times out with no error message
1595448 - Can't access new flavor page when accessed from cloud provider
1595450 - Quadicons in tagging screens should not be clickable
1595451 - task id not included on automation.log when logging from methods
1595454 - Disabling "Dashboard" under service UI for a role does not actually disable the dashboard
1595456 - Wrong Platform Attribute for OpenStack Provisioned Instance Showing Windows instead of Linux
1595461 - During metrics collection for a VMWare provider, SOAP exception occurs during queryAvailablePerfMetric for non-existent VM
1595776 - Dialogs should only run once
1598528 - [RFE] Automate - Expose max_retries override at instance level
1598532 - Generic objects class accordion is not display when locale is french
1598873 - Adding an Ansible Playbook button does not work correctly with Firefox (for Mac)
1599350 - Unable to access tower job .normalized_live_status because "wrong constant name ::Dev::Xvda"
1599353 - CloudForms : Wrong heading message while accessing Cloud Networks
1600191 - 502 Proxy Error
1600670 - Service Bundle retirement: retire_ now not implemented in subclass
1600738 - refresh methods stop being called after working for several days in the self service version of dialogs
1601587 - self service dynamic dialog droplist glitch
1601589 - Service Provision is Failing Because Last Auth Check Failed for Azure Provider
1602190 - CVE-2018-10905 cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root
1603022 - 404 error accessing OpenStack console
1603029 - required field blocks validation of a dialog after automation method called
1603031 - A custom button doesn't work on a service which has no parent catalog item associated with it.
1603058 - AD authentication failing cross region.
1603210 - Timepicker doesn't pass correct timing on service order
1607441 - Internal Server Error during filtering by flavor name in API
1608844 - after removing a zone, messages related to the zone linger in the database
1610055 - [RFE] CFME 5.9.4 - support ssh transport method
1610425 - Source and target network become zero after moving host to maintenance and activating it
1610685 - Service Dialog CheckBox has null value when not ticked by default
1611002 - SCVMM smartstate fails with undefined method `close' for nil:NilClass
1611660 - 'Refresh' button moves over the line when window is resized
1612062 - unable to view validation or cancelation buttons in dynamic dialogs tied to a Service button
1612856 - Browser title in reads "translation missing ..." in Portuguese
1612889 - [RFE] chargeback rates assigned to tags via multiple tag category assignations do not seem to get saved
1613295 - Report based on Chargeback for project fails with ERROR -- : [TypeError]: no implicit conversion from nil to integer Method:[block in method_missing]
1613387 - Tenant admins is not able to see newly created users
1613757 - OSP provider refresh fail
1615633 - Edit tag: Cannot select second tag to items
1618219 - Remove resources field behaves erratic
6. Package List:
CloudForms Management Engine 5.9:
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
The Red Hat security contact is <email@example.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----