Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

         CloudForms 4.6.5 security, bug fix and enhancement update
                              6 November 2018


        AusCERT Security Bulletin Summary

Product:           rubyzip
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Create Arbitrary Files          -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000544  

Reference:         ESB-2018.2360

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA256

                   Red Hat Security Advisory

Synopsis:          Moderate: CloudForms 4.6.5 security, bug fix and enhancement update
Advisory ID:       RHSA-2018:3466-01
Product:           Red Hat CloudForms
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:3466
Issue date:        2018-11-05
Cross references:  RHSA-2018:2561
CVE Names:         CVE-2018-1000544 

1. Summary:

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.9 - x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* rubyzip: arbitrary file write vulnerability / arbitrary code execution
using a specially crafted zip file (CVE-2018-1000544)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:


5. Bugs fixed (https://bugzilla.redhat.com/):

1592571 - Service Dialog Editor localization in French Incomplete
1593001 - CVE-2018-1000544 rubyzip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file
1599349 - API with an invalid zone name kill the appliance
1603026 - Vim Performance States Table Causing Region to Lock up During a Vacuum
1607409 - The remote_ws_url value does not failover if the appliance is stopped, so "api_url" can be incorrect in an Ansible playbook
1607438 - Alerts do not trigger and do not send email notification
1608368 - Ansible Jobs Causing State Machine to Fail due to Inactivity Threshold Exceeding 0
1608770 - custom buttom page empty
1612905 - internal server error when cloud_tenants or flavors subcollection is requested on infra provider
1613333 - Couldn't find EmsFolder with 'id'
1613420 - OpenStack deletion gives problem
1615465 - Using database wildcard `%25` in VM queries causes exception, returns 500 to client
1618800 - Open URL Does Not Work When Using a DIalog with a Button
1618805 - CloudForms tries to collect metrics from OCP despite not being configured for it
1618807 - [RFE] Restore VM ownership and retirement during migration
1618808 - Migrations linking jobs and miq_tasks could take long time when upgrading to 5.9
1619431 - [v2v] Network Missing in Infra Mapping
1619654 - [v2v] Schedule Unschedule Migration does not seem to work correctly
1621441 - Change VMware URI to connect directly to ESXi
1621445 - Default Dashboard can't be updated
1621449 - Fix displaying disk type of a VM created from template and passing clone parameter to RHV
1622631 - reports using "group by" on date show a total column per vm instead of showing a total at the end of the report
1622652 - Service Retirement runs twice for direct service children
1623557 - virt-v2v Fails with IMS when Using AD Credentials for VMware Provider
1623559 - [RFE] Add state_machine_phase attribute to transformation state machines
1623560 - Dynamic Text Area and Text Box Elements Load Even Though Load on Init is not Marked
1623561 - displaying -Child Orchestration Stacks- throwing UI error
1623563 - unable to generate chargeback based on metering for vms with traceback in logs
1623565 - Add log messages to Chargeback
1623573 - unable to add disk to vm via rest-api vm reconfiguration on vmware [request backport from existing commit]
1623582 - Change in chargeback report logging output
1625249 - Read Action Forbidden When User Tries to Attach Cloud Volume OpenStack
1625323 - UI breaks when viewing instance details.
1625376 - Wrong timezone when selecting retirement time
1626143 - Storage Domain ignored on provisioning
1626219 - nuage refresh fails - undefined method `[]' ... security_groups
1626474 - Handle service retirement date in service dialog
1628348 - Update to Azure Government endpoint
1628657 - Unable to retry Embedded Ansible method in a state machine
1629089 - [RFE] Add more RAM options size to life cycle dialog
1629090 - [SSUI] Able to create snapshot with memory on powered down VM
1629094 - Make the checkbox column in the column view not click-able
1629121 - When a button is for 'single and list' or 'list' and has a visibility expression, the button does not display in the list view even when all VMs in the list meet the expression
1629124 - giving volume name shouldn't be mandatory in case of Openstack instance provisioning
1629125 - OSP domain user seen objects from other domain tenants
1629126 - [RFE] Add support to oVirt provider to set VM memory and CPU
1629127 - UI Monitor Alerts page is slow to load and when clicking on link it shows blank page with no alerts
1629129 - Cannot add Ansible Tower or refresh already added Ansible Tower
1629897 - Memory threshold set from Workers tab doesn't work
1630938 - Refactor restoring VM attributes during migration
1631557 - Unable to provision VM with "choose automatic option"
1631817 - Not able to access Openstack instance console from selfservice portal
1632769 - Triggered Refresh Still Occurs for Dialog After Changing Type to Static
1634032 - To be able to add and create reports, the edit report role is needed.
1634808 - Password hashes in Automate Log
1635038 - VMware vCloud Provider's vApp Provisioning Dialog Cannot be Submitted
1635764 - Power management via API falling into the wrong zone leading to permanently queued requests
1637035 - Add transformation utils methods
1637185 - [RHV] ISO provisioning fails with undefined SDK method
1637720 - Unable to see chargeback rate under rates accordion
1638684 - VMware vCloud Provider's vApp Service Cannot be Fully Retired
1639300 - Unable to perform chargeback assignments for compute
1639413 - When ordering a service via the API the service dialog is not executed
1639877 - Can't change Server's Zone
1641670 - [regression][Custom Button] Unexpected error encountered in infrastructure and datastore object type when method and dialog both attached
1641810 - undefined method `find_tagged_with' for #<Class:0x000000000b5e3228> [miq_request/show_list]

6. Package List:

CloudForms Management Engine 5.9:



These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
Version: GnuPG v1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967