-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2615
   Important: CloudForms 4.6.4 security, bug fix, and enhancement update
                             5 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           CloudForms
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux Server 6
Impact/Access:     Root Compromise       -- Existing Account      
                   Read-only Data Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-10905 CVE-2018-3760 

Reference:         ESB-2018.2334
                   ESB-2018.2140
                   ESB-2018.2039
                   ESB-2018.1991

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:2561

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: CloudForms 4.6.4 security, bug fix, and enhancement update
Advisory ID:       RHSA-2018:2561-01
Product:           Red Hat CloudForms
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2561
Issue date:        2018-09-04
Cross references:  RHSA-2018:34177
CVE Names:         CVE-2018-3760 CVE-2018-10905 
=====================================================================

1. Summary:

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.9 - noarch, x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* cfme: Improper access control in dRuby allows local users to execute
arbitrary commands as root (CVE-2018-10905)

* rubygem-sprockets: Path traversal in forbidden_request?() can allow
remote attackers to read arbitrary files (CVE-2018-3760)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank Stephen Gappinger (American Express) for
reporting CVE-2018-10905.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1565259 - Requests originating from the API contain no 'userid' attribute in $evm.root
1588527 - Service dialog text, dialog element and button layout/spacing is incorrect in CloudForms 4.6
1591494 - [RFE] Add configuratble vhost to AMQP monitor
1591495 - Tag Expression form:The newly added category does't appear in expression form
1591496 - Expression methods can not access Flavor tags
1591497 - VMware Add Provider can validate VMRC Console credentials successfully for non-existing User
1593058 - CVE-2018-3760 rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files
1595416 - User that calls refresh automation domain from git branch is not correct user in UI
1595445 - Copying a method does not copy embedded methods that have been added
1595447 - Satellite credential validation times out with no error message
1595448 - Can't access new flavor page when accessed from cloud provider
1595450 - Quadicons in tagging screens should not be clickable
1595451 - task id not included on automation.log when logging from methods
1595454 - Disabling "Dashboard" under service UI for a role does not actually  disable the dashboard
1595456 - Wrong Platform Attribute for OpenStack Provisioned Instance Showing Windows instead of Linux
1595461 - During metrics collection for a VMWare provider, SOAP exception occurs during queryAvailablePerfMetric for non-existent VM
1595776 - Dialogs should only run once
1598528 - [RFE] Automate - Expose max_retries override at instance level
1598532 - Generic objects class accordion is not display when locale is french
1598873 - Adding an Ansible Playbook button does not work correctly with Firefox (for Mac)
1599350 - Unable to access tower job .normalized_live_status because "wrong constant name ::Dev::Xvda"
1599353 - CloudForms : Wrong heading message while accessing Cloud Networks
1600191 - 502 Proxy Error
1600670 - Service Bundle retirement: retire_ now not implemented in subclass
1600738 - refresh methods stop being called after working for several days in the self service version of dialogs
1601587 - self service dynamic dialog droplist glitch
1601589 - Service Provision is Failing Because Last Auth Check Failed for Azure Provider
1602190 - CVE-2018-10905 cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root
1603022 - 404 error accessing OpenStack console
1603029 - required field blocks validation of a dialog after automation method called
1603031 - A custom button doesn't work on a service which has no parent catalog item associated with it.
1603058 - AD authentication failing cross region.
1603210 - Timepicker doesn't pass correct timing on service order
1607441 - Internal Server Error during filtering by flavor name in API
1608844 - after removing a zone, messages related to the zone linger in the database
1610055 - [RFE] CFME 5.9.4 - support ssh transport method
1610425 - Source and target network become zero after moving host to maintenance and activating it
1610685 - Service Dialog CheckBox has null value when not ticked by default
1611002 - SCVMM smartstate fails with undefined method `close' for nil:NilClass
1611660 - 'Refresh' button moves over the line when window is resized
1612062 - unable to view validation or cancelation buttons in dynamic dialogs tied to a Service button
1612856 - Browser title in reads "translation missing ..." in Portuguese
1612889 - [RFE] chargeback rates assigned to tags via multiple tag category assignations do not seem to get saved
1613295 - Report based on Chargeback for project fails with ERROR -- : [TypeError]: no implicit conversion from nil to integer  Method:[block in method_missing]
1613387 - Tenant admins is not able to see newly created users
1613757 - OSP provider refresh fail
1615633 - Edit tag: Cannot select second tag to items
1618219 - Remove resources field behaves erratic

6. Package List:

CloudForms Management Engine 5.9:

Source:
cfme-5.9.4.7-1.el7cf.src.rpm
cfme-amazon-smartstate-5.9.4.7-1.el7cf.src.rpm
cfme-appliance-5.9.4.7-1.el7cf.src.rpm
cfme-gemset-5.9.4.7-1.el7cf.src.rpm
rh-postgresql95-postgresql-pglogical-2.1.0-4.el7cf.src.rpm
rh-ruby23-rubygem-redhat_access_cfme-2.0.3-1.el7cf.src.rpm

noarch:
rh-ruby23-rubygem-redhat_access_cfme-2.0.3-1.el7cf.noarch.rpm
rh-ruby23-rubygem-redhat_access_cfme-doc-2.0.3-1.el7cf.noarch.rpm

x86_64:
cfme-5.9.4.7-1.el7cf.x86_64.rpm
cfme-amazon-smartstate-5.9.4.7-1.el7cf.x86_64.rpm
cfme-appliance-5.9.4.7-1.el7cf.x86_64.rpm
cfme-appliance-common-5.9.4.7-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm
cfme-appliance-tools-5.9.4.7-1.el7cf.x86_64.rpm
cfme-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm
cfme-gemset-5.9.4.7-1.el7cf.x86_64.rpm
cfme-gemset-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm
rh-postgresql95-postgresql-pglogical-2.1.0-4.el7cf.x86_64.rpm
rh-postgresql95-postgresql-pglogical-debuginfo-2.1.0-4.el7cf.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-3760
https://access.redhat.com/security/cve/CVE-2018-10905
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW47IZtzjgjWX9erEAQhuaBAAjcYrhESmgh3/OFH4t1rAQ/sYcuRYhopZ
0hmLtNhpyHlTx/VAqpkIS1a69uRlyeOc8/PfUh9zA7LZYRePRGA5/rMmsvyhoqV0
MDRsNMPU+sbSs8vLrvul+mAsTGkdHFAMXDB7Hay3gOntiCGU6vBX/AxfKRYkJjjU
RJvPIoos2auq+k2PXSOiKoQMzKWqgqQcvBdfZHhjqBxDD8xN+zKElUFbztHSUPS3
3CGw7jRrJAqjO4FmN62SNPWRxBGnw8Lzzj2N3gDd4IyxEd0EWjenaGfE4ZHY/yfF
TnQ5N3jhsw5Z5q3RuvXKfNl6Ke7bChWUQNZjoA+v4vKDUxL2y8EEQ2ZkLS8icUgR
ZzpCLeB8bPoNcWFv1BjEllfIA9bUZ7e7x7/ur5aykOOicsPJnGGFEZhCIYUzbe9b
7kdXKQIsfu+ru01GoIKY9dXLhWg/h1Q/lBRwh05qDHD0a6iyGV2RpQMvSbsTrJSq
Yjr7il+HBfgW2lFDzJFtO9kSWiRrsrgwY3C6rzLG6oJcu2hzV9APu5y21GxF8Qq0
7q20a9bUMxptcmRFqhqVj1K8rE+NKom0dKFhsihc97l/iKP9wo1fYFNDHfk8rVjL
MhH++1KHoLGIDxsU4ZF0fhSs82XG1TtXIbUYPe5dcjtnNoZBy9xwCdyttopOn2TY
D3HNNisehaA=
=0QPa
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW48jWGaOgq3Tt24GAQjb6xAApxFbkUGDM8ILJ3WXPBpTEk1P93ma89Ub
2N2h0/TReTkukI0IwgrnCbeqGf6As/M9Ztvqddp2AEKHaRQJmZrzX4RWpsGHAI1H
nRleGvAluRTmLw8IyXjcvz0vL5nlt5LD4bsx4iJY3gBMccyMId/F3ZS4LEF5FZfq
SMWI88CbSBpJwkmx8LD33DP8F9d2nSkNbBi2qiKHFsXI2neRtBechiDA24hMXqAW
wWHGtWVCVl0Dw3hHUaL5zFhOADcG4ZHJ6V+o26BAXnRPnxJeoUbbmW9vmELQe+eB
Z12Q5iBfYv7S7TzTreLEN4lU7PGk7bN0ulbieGEjhs3CAgVRKSU8l+ka6WBY5Fl5
A/XSQwPQytID42jd5auqEE2e3rR3m6F41a5IspK+L4RERr56QkF2+cS4AKzhFr9W
b2g8QCTLdp1rmcqndvFe7S5lzQsc8rczIaqiqKOaGHdlbOE2yEvDdfPoFVjdT7Qj
FFO3jOvo0wxjaLRZb/meUwqegTaO7pxVeLhtefMGdh782EUmujhWOfyx34rpewS2
PKlXPfNuFgJr0T/dKYxtz2pWscxHtKS8iSyjPd6XsD0BYglOcEp/K6x4B+XmbIK9
dTP9ljvyar/9glrEU4nRo/rvOAIFnkCai9M5pahlfnsfHhliLdj2hb91tNrzkwRY
gnGDEjZyWM8=
=LoyE
-----END PGP SIGNATURE-----