06 November 2018
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3462 CloudForms 4.6.5 security, bug fix and enhancement update 6 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: rubyzip Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Create Arbitrary Files -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-1000544 Reference: ESB-2018.2360 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:3466 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: CloudForms 4.6.5 security, bug fix and enhancement update Advisory ID: RHSA-2018:3466-01 Product: Red Hat CloudForms Advisory URL: https://access.redhat.com/errata/RHSA-2018:3466 Issue date: 2018-11-05 Cross references: RHSA-2018:2561 CVE Names: CVE-2018-1000544 ===================================================================== 1. Summary: An update is now available for CloudForms Management Engine 5.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.9 - x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Security Fix(es): * rubyzip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file (CVE-2018-1000544) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1592571 - Service Dialog Editor localization in French Incomplete 1593001 - CVE-2018-1000544 rubyzip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file 1599349 - API with an invalid zone name kill the appliance 1603026 - Vim Performance States Table Causing Region to Lock up During a Vacuum 1607409 - The remote_ws_url value does not failover if the appliance is stopped, so "api_url" can be incorrect in an Ansible playbook 1607438 - Alerts do not trigger and do not send email notification 1608368 - Ansible Jobs Causing State Machine to Fail due to Inactivity Threshold Exceeding 0 1608770 - custom buttom page empty 1612905 - internal server error when cloud_tenants or flavors subcollection is requested on infra provider 1613333 - Couldn't find EmsFolder with 'id' 1613420 - OpenStack deletion gives problem 1615465 - Using database wildcard `%25` in VM queries causes exception, returns 500 to client 1618800 - Open URL Does Not Work When Using a DIalog with a Button 1618805 - CloudForms tries to collect metrics from OCP despite not being configured for it 1618807 - [RFE] Restore VM ownership and retirement during migration 1618808 - Migrations linking jobs and miq_tasks could take long time when upgrading to 5.9 1619431 - [v2v] Network Missing in Infra Mapping 1619654 - [v2v] Schedule Unschedule Migration does not seem to work correctly 1621441 - Change VMware URI to connect directly to ESXi 1621445 - Default Dashboard can't be updated 1621449 - Fix displaying disk type of a VM created from template and passing clone parameter to RHV 1622631 - reports using "group by" on date show a total column per vm instead of showing a total at the end of the report 1622652 - Service Retirement runs twice for direct service children 1623557 - virt-v2v Fails with IMS when Using AD Credentials for VMware Provider 1623559 - [RFE] Add state_machine_phase attribute to transformation state machines 1623560 - Dynamic Text Area and Text Box Elements Load Even Though Load on Init is not Marked 1623561 - displaying -Child Orchestration Stacks- throwing UI error 1623563 - unable to generate chargeback based on metering for vms with traceback in logs 1623565 - Add log messages to Chargeback 1623573 - unable to add disk to vm via rest-api vm reconfiguration on vmware [request backport from existing commit] 1623582 - Change in chargeback report logging output 1625249 - Read Action Forbidden When User Tries to Attach Cloud Volume OpenStack 1625323 - UI breaks when viewing instance details. 1625376 - Wrong timezone when selecting retirement time 1626143 - Storage Domain ignored on provisioning 1626219 - nuage refresh fails - undefined method `' ... security_groups 1626474 - Handle service retirement date in service dialog 1628348 - Update to Azure Government endpoint 1628657 - Unable to retry Embedded Ansible method in a state machine 1629089 - [RFE] Add more RAM options size to life cycle dialog 1629090 - [SSUI] Able to create snapshot with memory on powered down VM 1629094 - Make the checkbox column in the column view not click-able 1629121 - When a button is for 'single and list' or 'list' and has a visibility expression, the button does not display in the list view even when all VMs in the list meet the expression 1629124 - giving volume name shouldn't be mandatory in case of Openstack instance provisioning 1629125 - OSP domain user seen objects from other domain tenants 1629126 - [RFE] Add support to oVirt provider to set VM memory and CPU 1629127 - UI Monitor Alerts page is slow to load and when clicking on link it shows blank page with no alerts 1629129 - Cannot add Ansible Tower or refresh already added Ansible Tower 1629897 - Memory threshold set from Workers tab doesn't work 1630938 - Refactor restoring VM attributes during migration 1631557 - Unable to provision VM with "choose automatic option" 1631817 - Not able to access Openstack instance console from selfservice portal 1632769 - Triggered Refresh Still Occurs for Dialog After Changing Type to Static 1634032 - To be able to add and create reports, the edit report role is needed. 1634808 - Password hashes in Automate Log 1635038 - VMware vCloud Provider's vApp Provisioning Dialog Cannot be Submitted 1635764 - Power management via API falling into the wrong zone leading to permanently queued requests 1637035 - Add transformation utils methods 1637185 - [RHV] ISO provisioning fails with undefined SDK method 1637720 - Unable to see chargeback rate under rates accordion 1638684 - VMware vCloud Provider's vApp Service Cannot be Fully Retired 1639300 - Unable to perform chargeback assignments for compute 1639413 - When ordering a service via the API the service dialog is not executed 1639877 - Can't change Server's Zone 1641670 - [regression][Custom Button] Unexpected error encountered in infrastructure and datastore object type when method and dialog both attached 1641810 - undefined method `find_tagged_with' for #<Class:0x000000000b5e3228> [miq_request/show_list] 6. Package List: CloudForms Management Engine 5.9: Source: ansible-tower-3.2.7-1.el7at.src.rpm cfme-188.8.131.52-1.el7cf.src.rpm cfme-amazon-smartstate-184.108.40.206-1.el7cf.src.rpm cfme-appliance-220.127.116.11-1.el7cf.src.rpm cfme-gemset-18.104.22.168-1.el7cf.src.rpm x86_64: ansible-tower-3.2.7-1.el7at.x86_64.rpm ansible-tower-server-3.2.7-1.el7at.x86_64.rpm ansible-tower-setup-3.2.7-1.el7at.x86_64.rpm ansible-tower-ui-3.2.7-1.el7at.x86_64.rpm ansible-tower-venv-ansible-3.2.7-1.el7at.x86_64.rpm ansible-tower-venv-tower-3.2.7-1.el7at.x86_64.rpm cfme-22.214.171.124-1.el7cf.x86_64.rpm cfme-amazon-smartstate-126.96.36.199-1.el7cf.x86_64.rpm cfme-appliance-188.8.131.52-1.el7cf.x86_64.rpm cfme-appliance-common-184.108.40.206-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-220.127.116.11-1.el7cf.x86_64.rpm cfme-appliance-tools-18.104.22.168-1.el7cf.x86_64.rpm cfme-debuginfo-22.214.171.124-1.el7cf.x86_64.rpm cfme-gemset-126.96.36.199-1.el7cf.x86_64.rpm cfme-gemset-debuginfo-188.8.131.52-1.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-1000544 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.6/html/release_notes 8. Contact: The Red Hat security contact is <firstname.lastname@example.org>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW+BM7dzjgjWX9erEAQgslw/8DEgNrrVa720mqy/N2URv8ozTMKEbojHN zSTMbDy+uHxz3ei8Qv2dPDgy06tNgz24XAojc2V9S4kGvOLn4+m7vbtgyLgO/S8h JGoEqXn2kRiQLG5S7guM3/jwj5/zkJjxo+wAhm1pZ+/+i/gcdj8ilriU4JRHTDez Cv2qwhoD0/9LZsRirXf3e/BDT3nwGn1hAul1m0fK8AuXKaQx9jUU6pHQ7oFejL8g k05A+Egb6Uko7jPng2AFi0qf79LTS0VdZqJdb4fCTEwA7BnP6KIoYJIxA+ASb1G/ XCnXuLPHgZQUFY+f26xuU7904p/2scN+XOHVgBXg8sVgKL4V1z77LfzvymERRCOZ 8fnkqGNfHFBCKUjnbS6w+qTFZSWB+rimEKMmS9JfJ4MqaRLJ/CS/UbytCJ4yZiqI KwkV9B3gmqJJlcloq7Upeu+W/K+AjCcAVy72OkOjKj8fyCw4fu+zzO5AYMcOou63 QSDah1bZCOIib50L1YL59/i8qSP8Sfw+BdjLc0uuKD9TYkg+ea6FAjew3QsqFfmx /+c+V/q0yfaHJKTuE7qbwu7oT8bD0gqsLpnfL3O0NjrsSNej1BZpBE2zSlGXFRkp RwpgmaCH8CH0MRJ/y6PoGcN1nq1hk27hz6yeQD1bHbBdDzPMgucCirQg31ETmI+K Y82FHX4wIVU= =2gRR - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW+DlCmaOgq3Tt24GAQhkcBAAwfbC4BftLSVof7Vyx4zHWybAgMhfJ6LJ qh0DObQNtheRk8ZdWMwIj/9ont2uuzuOWgTT9feWHe+iWpCxvGIdbgje34AW7d+a vUFiJ3Otq0o5lBYcZKXsj3GNxfUZ+saAGv6Y3UtWxL6k1y2R4DyPs25p3E/n1vPZ lHbaSDaGHEMwrFa8PLoQVZfZnf3gYR2PZLSREKTNWVEZDBCozHbJvii5iCRLl1bF XE+axyxrmSprjK0zZLD8DU0XLQpob/zXshfdz0fczVqAMMdoWEJnywxs3u3ZFI4O pz6+xg3jhnk7RFyjBeJiZZgUlHYGmI/h9zLVJYE5o2LU3dZ/8VvJvelXjeKBj1fG B0CwPKl8jfj+wNGlh/Ua/mlXAkBKpEzELur5oqf0mByhk+gpUZS43YCjcTb6MvcB P8X8DtgO8OQWJTYQ1HYfD7SyHsUwrhck0cXj6/Xd3EvOn8RWObpzqXkoWoJXLsy+ 4r43IGyOe7fSoljZYPjYNFAf8n3ZrSJRzwicQOW+LojCJ2J1T8URZuAxaRK2ssa6 hJJUL/AmOWwn1Iwo2qjXQdj4TxMvVwEP7lYEneNNIfn3kzPAlxD8hja55onWvG9J LeCcs/MwVfuQN9DyUeCLGOJVB2KVoeZ401oqCJ4P7FPM28ToDH2ZApca1P/0xXe3 RJEYdnFnL74= =SI/2 -----END PGP SIGNATURE-----