Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2615 Important: CloudForms 4.6.4 security, bug fix, and enhancement update 5 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: CloudForms Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux Server 6 Impact/Access: Root Compromise -- Existing Account Read-only Data Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-10905 CVE-2018-3760 Reference: ESB-2018.2334 ESB-2018.2140 ESB-2018.2039 ESB-2018.1991 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:2561 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: CloudForms 4.6.4 security, bug fix, and enhancement update Advisory ID: RHSA-2018:2561-01 Product: Red Hat CloudForms Advisory URL: https://access.redhat.com/errata/RHSA-2018:2561 Issue date: 2018-09-04 Cross references: RHSA-2018:34177 CVE Names: CVE-2018-3760 CVE-2018-10905 ===================================================================== 1. Summary: An update is now available for CloudForms Management Engine 5.9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.9 - noarch, x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Security Fix(es): * cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root (CVE-2018-10905) * rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Stephen Gappinger (American Express) for reporting CVE-2018-10905. Additional Changes: This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1565259 - Requests originating from the API contain no 'userid' attribute in $evm.root 1588527 - Service dialog text, dialog element and button layout/spacing is incorrect in CloudForms 4.6 1591494 - [RFE] Add configuratble vhost to AMQP monitor 1591495 - Tag Expression form:The newly added category does't appear in expression form 1591496 - Expression methods can not access Flavor tags 1591497 - VMware Add Provider can validate VMRC Console credentials successfully for non-existing User 1593058 - CVE-2018-3760 rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files 1595416 - User that calls refresh automation domain from git branch is not correct user in UI 1595445 - Copying a method does not copy embedded methods that have been added 1595447 - Satellite credential validation times out with no error message 1595448 - Can't access new flavor page when accessed from cloud provider 1595450 - Quadicons in tagging screens should not be clickable 1595451 - task id not included on automation.log when logging from methods 1595454 - Disabling "Dashboard" under service UI for a role does not actually disable the dashboard 1595456 - Wrong Platform Attribute for OpenStack Provisioned Instance Showing Windows instead of Linux 1595461 - During metrics collection for a VMWare provider, SOAP exception occurs during queryAvailablePerfMetric for non-existent VM 1595776 - Dialogs should only run once 1598528 - [RFE] Automate - Expose max_retries override at instance level 1598532 - Generic objects class accordion is not display when locale is french 1598873 - Adding an Ansible Playbook button does not work correctly with Firefox (for Mac) 1599350 - Unable to access tower job .normalized_live_status because "wrong constant name ::Dev::Xvda" 1599353 - CloudForms : Wrong heading message while accessing Cloud Networks 1600191 - 502 Proxy Error 1600670 - Service Bundle retirement: retire_ now not implemented in subclass 1600738 - refresh methods stop being called after working for several days in the self service version of dialogs 1601587 - self service dynamic dialog droplist glitch 1601589 - Service Provision is Failing Because Last Auth Check Failed for Azure Provider 1602190 - CVE-2018-10905 cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root 1603022 - 404 error accessing OpenStack console 1603029 - required field blocks validation of a dialog after automation method called 1603031 - A custom button doesn't work on a service which has no parent catalog item associated with it. 1603058 - AD authentication failing cross region. 1603210 - Timepicker doesn't pass correct timing on service order 1607441 - Internal Server Error during filtering by flavor name in API 1608844 - after removing a zone, messages related to the zone linger in the database 1610055 - [RFE] CFME 5.9.4 - support ssh transport method 1610425 - Source and target network become zero after moving host to maintenance and activating it 1610685 - Service Dialog CheckBox has null value when not ticked by default 1611002 - SCVMM smartstate fails with undefined method `close' for nil:NilClass 1611660 - 'Refresh' button moves over the line when window is resized 1612062 - unable to view validation or cancelation buttons in dynamic dialogs tied to a Service button 1612856 - Browser title in reads "translation missing ..." in Portuguese 1612889 - [RFE] chargeback rates assigned to tags via multiple tag category assignations do not seem to get saved 1613295 - Report based on Chargeback for project fails with ERROR -- : [TypeError]: no implicit conversion from nil to integer Method:[block in method_missing] 1613387 - Tenant admins is not able to see newly created users 1613757 - OSP provider refresh fail 1615633 - Edit tag: Cannot select second tag to items 1618219 - Remove resources field behaves erratic 6. Package List: CloudForms Management Engine 5.9: Source: cfme-5.9.4.7-1.el7cf.src.rpm cfme-amazon-smartstate-5.9.4.7-1.el7cf.src.rpm cfme-appliance-5.9.4.7-1.el7cf.src.rpm cfme-gemset-5.9.4.7-1.el7cf.src.rpm rh-postgresql95-postgresql-pglogical-2.1.0-4.el7cf.src.rpm rh-ruby23-rubygem-redhat_access_cfme-2.0.3-1.el7cf.src.rpm noarch: rh-ruby23-rubygem-redhat_access_cfme-2.0.3-1.el7cf.noarch.rpm rh-ruby23-rubygem-redhat_access_cfme-doc-2.0.3-1.el7cf.noarch.rpm x86_64: cfme-5.9.4.7-1.el7cf.x86_64.rpm cfme-amazon-smartstate-5.9.4.7-1.el7cf.x86_64.rpm cfme-appliance-5.9.4.7-1.el7cf.x86_64.rpm cfme-appliance-common-5.9.4.7-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm cfme-appliance-tools-5.9.4.7-1.el7cf.x86_64.rpm cfme-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm cfme-gemset-5.9.4.7-1.el7cf.x86_64.rpm cfme-gemset-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm rh-postgresql95-postgresql-pglogical-2.1.0-4.el7cf.x86_64.rpm rh-postgresql95-postgresql-pglogical-debuginfo-2.1.0-4.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-3760 https://access.redhat.com/security/cve/CVE-2018-10905 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW47IZtzjgjWX9erEAQhuaBAAjcYrhESmgh3/OFH4t1rAQ/sYcuRYhopZ 0hmLtNhpyHlTx/VAqpkIS1a69uRlyeOc8/PfUh9zA7LZYRePRGA5/rMmsvyhoqV0 MDRsNMPU+sbSs8vLrvul+mAsTGkdHFAMXDB7Hay3gOntiCGU6vBX/AxfKRYkJjjU RJvPIoos2auq+k2PXSOiKoQMzKWqgqQcvBdfZHhjqBxDD8xN+zKElUFbztHSUPS3 3CGw7jRrJAqjO4FmN62SNPWRxBGnw8Lzzj2N3gDd4IyxEd0EWjenaGfE4ZHY/yfF TnQ5N3jhsw5Z5q3RuvXKfNl6Ke7bChWUQNZjoA+v4vKDUxL2y8EEQ2ZkLS8icUgR ZzpCLeB8bPoNcWFv1BjEllfIA9bUZ7e7x7/ur5aykOOicsPJnGGFEZhCIYUzbe9b 7kdXKQIsfu+ru01GoIKY9dXLhWg/h1Q/lBRwh05qDHD0a6iyGV2RpQMvSbsTrJSq Yjr7il+HBfgW2lFDzJFtO9kSWiRrsrgwY3C6rzLG6oJcu2hzV9APu5y21GxF8Qq0 7q20a9bUMxptcmRFqhqVj1K8rE+NKom0dKFhsihc97l/iKP9wo1fYFNDHfk8rVjL MhH++1KHoLGIDxsU4ZF0fhSs82XG1TtXIbUYPe5dcjtnNoZBy9xwCdyttopOn2TY D3HNNisehaA= =0QPa - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW48jWGaOgq3Tt24GAQjb6xAApxFbkUGDM8ILJ3WXPBpTEk1P93ma89Ub 2N2h0/TReTkukI0IwgrnCbeqGf6As/M9Ztvqddp2AEKHaRQJmZrzX4RWpsGHAI1H nRleGvAluRTmLw8IyXjcvz0vL5nlt5LD4bsx4iJY3gBMccyMId/F3ZS4LEF5FZfq SMWI88CbSBpJwkmx8LD33DP8F9d2nSkNbBi2qiKHFsXI2neRtBechiDA24hMXqAW wWHGtWVCVl0Dw3hHUaL5zFhOADcG4ZHJ6V+o26BAXnRPnxJeoUbbmW9vmELQe+eB Z12Q5iBfYv7S7TzTreLEN4lU7PGk7bN0ulbieGEjhs3CAgVRKSU8l+ka6WBY5Fl5 A/XSQwPQytID42jd5auqEE2e3rR3m6F41a5IspK+L4RERr56QkF2+cS4AKzhFr9W b2g8QCTLdp1rmcqndvFe7S5lzQsc8rczIaqiqKOaGHdlbOE2yEvDdfPoFVjdT7Qj FFO3jOvo0wxjaLRZb/meUwqegTaO7pxVeLhtefMGdh782EUmujhWOfyx34rpewS2 PKlXPfNuFgJr0T/dKYxtz2pWscxHtKS8iSyjPd6XsD0BYglOcEp/K6x4B+XmbIK9 dTP9ljvyar/9glrEU4nRo/rvOAIFnkCai9M5pahlfnsfHhliLdj2hb91tNrzkwRY gnGDEjZyWM8= =LoyE -----END PGP SIGNATURE-----