[Date Prev][Date Next] [Thread Prev][Thread Next]
[RHSA-2017:1758-01] Important: Red Hat CloudForms security, bug fix, and enhancement update
- From: "Security announcements for all Red Hat products and services." <rhsa-announce redhat com>
- To: rhsa-announce redhat com
- Subject: [RHSA-2017:1758-01] Important: Red Hat CloudForms security, bug fix, and enhancement update
- Date: Wed, 2 Aug 2017 13:25:38 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Red Hat Security Advisory
Synopsis: Important: Red Hat CloudForms security, bug fix, and enhancement update
Advisory ID: RHSA-2017:1758-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2017:1758
Issue date: 2017-08-02
Cross references: RHSA-2017:1367
CVE Names: CVE-2016-7047 CVE-2017-2664 CVE-2017-7497
An update is now available for CloudForms Management Engine 5.8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
CloudForms Management Engine 5.8 - noarch, x86_64
Ansible is a simple model-driven configuration management, multi-node
deployment, and remote-task execution system. Ansible works over SSH and
does not require any software or daemons to be installed on remote nodes.
Extension modules can be written in any language and are transferred to
managed machines automatically.
Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.
The following packages have been upgraded to a later upstream version:
ansible (220.127.116.11), ansible-tower (3.1.3), cfme (18.104.22.168), cfme-appliance
(22.214.171.124), cfme-gemset (126.96.36.199), rh-ruby23-rubygem-nokogiri (1.7.2).
* CloudForms lacks RBAC controls on certain methods in the rails
application portion of CloudForms. An attacker with access could use a
variety of methods within the rails applications portion of CloudForms to
escalate privileges. (CVE-2017-2664)
* It was found that privilege check is missing when invoking arbitrary
methods via filtering on VMs that MiqExpression will execute that is
triggerable by API users. An attacker could use this to execute actions
they should not be allowed to (e.g. destroying VMs). (CVE-2017-7530)
* The dialog for creating cloud volumes (cinder provider) in CloudForms
does not filter cloud tenants by user. An attacker with the ability to
create storage volumes could use this to create storage volumes for any
other tenant. (CVE-2017-7497)
* A flaw was found in the CloudForms API. A user with permissions to use
the MiqReportResults capability within the API could potentially view data
from other tenants or groups to which they should not have access.
The CVE-2017-2664 issue was discovered by Libor Pichler (Red Hat) and
Martin Povolny (Red Hat); the CVE-2017-7530 issue was discovered by Tim
Wade (Red Hat); the CVE-2017-7497 issue was discovered by Gellert Kis (Red
Hat); and the CVE-2016-7047 issue was discovered by Simon Lukasik (Red
This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes
document linked to in the References section.
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
5. Bugs fixed (https://bugzilla.redhat.com/):
1374215 - CVE-2016-7047 cfme: API leaks any MiqReportResult
1435393 - CVE-2017-2664 CloudForms: lack of RBAC on various methods in web UI
1438562 - [RFE] External Auth - AD - samba-common-tools and deps missing from appliance.
1439309 - Not able to see orders when not enough permission to see catalogs
1441321 - Access (Cockpit and HTML5) are inconsistent between Service and OPS UI
1444505 - "Collect" button is absent on slave server log collection page
1449273 - VM Hostname not displaying when RHV has FQDN
1450082 - Failed to remove interface from router - HA env.
1450087 - Cloud Router Summary does not show subnets which connected it - HA env.
1450150 - CFME: Dialog for creating cloud volumes does not filter cloud tenants CVE-2017-7497
1450502 - [RFE] Custom Button must be supported at VM level in Service UI
1450518 - Openstack services missing on node page
1454445 - Containers with empty "imageID" field points to wrong images
1455685 - Azure provision still needs First/Last name
1456017 - [RFE] Install latest stable version of Ansible Core on the appliance.
1458333 - Containers - old archived container entities are not purged
1458337 - In my settings page at login Configuration management shouldn't be in Infrastructure
1458339 - It is impossible to identify the source process/appliance for each connection in pg_stat_activity
1458341 - reports do not distinguish between same name custom attributes with different sections
1458356 - [Ansible Embedded] - User not informed about Embedded Ansible role enablement
1458360 - Entering Ansible Repository Incorrectly does not provide feedback that creation fails
1458363 - [VMWARE]Auto_placement provision fails if best_fit host doesn't have selected VM Network
1458365 - Can not get kernel version from reports
1458374 - [Azure] - No floating IPs displayed for LBs in Network topology
1458377 - Various network object CRUD forms require better filtering
1458434 - Use $log.log_hashes to filter out sensitive data in Ansible Playbook service.
1458445 - Extra parameter in call to Job#set_status from `VmScan#call_snapshot_delete'
1458447 - GCE Boot Disk Size options should be sorted by actual size
1458448 - Remove specific EVM server from zone
1458454 - [RFE] Add legend to Graph in OpenShift Ad Hoc Metrics
1458892 - The credentials for Automate Git Repository wasn't updating the correct authentications type
1458896 - infinispinner on attempt to open Alarm/Status Change management events on Timelines page
1458899 - Deleting object store object redirects me to object store containers list
1458900 - Export button is enabled on Custom Reports page
1458919 - Action button for verifying replication subscriptions on the far right is to small
1458921 - Chargeback Report VM identification (UUID)
1458924 - Web console for AWS is trying to connect on private ip instead public one
1458925 - WEB Console defaults to the first IP Address when connecting to Cockpit with RHV VMs
1458926 - UI blows up while downloading Switch Summary as PDF
1458927 - Tag Group UI | "Save" button gets inactive after switching between tabs(Host&Cluster, My Company Tag)
1458930 - Topology View for HyperV is missing all relationships
1458934 - Container Explorer Page is not scalable
1458935 - Smart Management | Tag info is not appear on container detail page after edit
1458943 - [SDN] - no Instance details in Floating IPs table for LB IPs
1458945 - Middleware Manager Deployments Download .pdf contains duplicate .war entries
1458946 - customers unable to access CFME thru UI due to chronic unpredictable termination of httpd service
1458947 - get-inventory.ps is returning SCVMM internal temporary templates in addition to actual templates
1458951 - Host targeted refresh fails when using sdk (v4)
1459217 - [RFE] Azure managed images not discovered
1459225 - Check for blank password in database configuration to avoid postgres errors
1459227 - Benchmark timings are incorrect for all workers in evm.log
1459235 - SSA Fails in Windows workloads but not in Linux ones on OSP9
1459243 - Message 'Cannot edit VM. Physical Memory Guaranteed cannot exceed Memory Size' is logged as INFO in automation.log
1459247 - MIQ LDAP - Certain users with special attributes can't log in to services UI.
1459257 - Auth - MIQLDAP - FreeIPA - Can't switch groups in SSUI
1459258 - AWS S3 deleting object store object(folder) that has another objects in it does nothing
1459261 - vmreconfigure allows circumvention of quota and approval mechanisms
1459262 - When adding Disk with reconfiguration on vmware, after 16th Disk, a new controller is created hardcoded to Parallel Type
1459264 - [UI][RHV][VM Reconfigure] Disks section - "Delete Backing" Yes|No button stuck in the middle.
1459297 - Display notification message when search on Provider Topology page returns no records
1459306 - Retirement - log the zone when raising a retirement event.
1459318 - Azure refresh results in timeout errors
1459562 - Incorrect storage used in Chargeback reports
1459902 - Show tag info for playbook services
1459903 - No flash message after editing provider settings
1459923 - Error indicator does not display on the OpenStack New Infrastructure Provider form for the Default tab
1459928 - Raw methods exposed for Cloud Tenant instead of non-raw
1459929 - Unable to collect inventory for 40,000 container images, results in kubeclient timeout
1459940 - I can't change only volume name when editing gp2 type block storage volume(EBS)
1459944 - Tag Information Not Displayed on Catalog Items
1459959 - Calendar control on Cluster Utilization page gets clipped
1459962 - Ansible Playbook Service: Cannot update new dialog name and other UI issues
1459977 - Existing or Newly created service added to parent service via REST API or from automation is not visible in UI
1459986 - Error message displayed when adding playbook service catalog item to global region
1459989 - Service dialog is created without extra_vars
1459990 - Ansible playbook : Error when creating new dialog with existing dialog's name
1459992 - Resetting planning results in flash msg twice
1460000 - backup service fails due to: incremental=>true
1460002 - Unable to change rhevm credentials after upgrade from 5.6 to 5.8
1460004 - Parent tenant displayed in list view when allowed by RBAC
1460023 - containers: information under "Labels" is shown in reverse alphabetical order (z-a)
1460024 - Create a snapshot of this volume action is missing in Block storage volume list configuration menu
1460027 - Expose container projects and template parms in service model
1460031 - When provisioning VM, multiple emails with same content are sent
1460032 - Forbidden Error when creating a cloud network
1460033 - Pop-up with usercase occur if press "Edit" button after log collection via dropbox
1460034 - Failed to create subnet
1460036 - [VMWare][Topology] - wrong title of Clusters and Tags not displayed
1460265 - Tag Group UI | Cannot select single host, checkboxes are missing
1460293 - Custom Button: None credential is always used during Ansible Playbook Service provisioning
1460294 - Bulk assign_tags does not populate href properly
1460304 - Ansible Repository SCM Credential cannot be cleared after being set
1460307 - [RFE] Allow for deletion of group when users belong to another group
1460308 - Allow identify replicated interfaces on HA environments
1460309 - undefined method `status_ok?' for #<MiqTask:0x0000001a97daf0> causing post_scaledown_task to fail
1460310 - ContainerImage :registered_on field is wrong
1460316 - Custom button failing to execute
1460318 - Cloudforms causes a Token Storm on OSP10 overcloud
1460334 - RHV Host refresh fail on undefined method `detect' for nil:NilClass
1460339 - SmartState required automate server roles enabled on the worker has SmartProxy role enabled
1460348 - manageiq.api_token failing in playbook when using a multi-appliance deployment
1460349 - After killing reporting worker, report status still says Running
1460356 - Ansible Service Catalog Template Job not honoring provider zone
1460357 - Node Utilisation in Dashboard show more Nodes than avaible
1460359 - Remove policy checking for request_host_vmotion_enabled event
1460366 - Cannot suspend server role in CFME Region menu
1460372 - webadmin: template info is not shown correctly in several fields of Objects table
1460375 - Refreshing the ansible tower provider page does not load the View buttons
1460380 - Schedule Time value is reset during editing provisioning request
1460382 - Default number of topology items shouldn't be Unlimited
1460383 - HTML5 Console Title Reads as "ManageIQ HTML5 Remote Console"
1460384 - Search and advanced search is missing in Object Store Objects
1460385 - Unable to download aws volumes snapshot summary in PDF format
1460386 - When importing custom variables always "Choose the type of custom variables to be imported" appears
1460387 - Incorrect padding in Actions and Conditions selection screens
1460394 - Saved Reports getting deleted when deletes all finished reporting task from All Other Tasks page
1460396 - Failed while launching imported report based on Chargeback for Projects via REST API.
1460397 - Archived container entities are not destroyed when the provider is deleted
1460736 - ISO domain images are not displayed
1460755 - SSUI shows Manage IQ productization
1460761 - report vm and instances field 'Provision.Request : Approved By' does not apply any styling
1460776 - [RHOS] Cancelling 'Provision instance' action throws exception
1460777 - Some inconsistencies in Hosts listnav and Hosts Summary screen
1460781 - Tenants : Reset button not working in Tag Assignment page
1460791 - Unable to edit ansible repository by "Enter" pressing
1460792 - Filters not working properly in config mgmt configured systems
1460802 - Missing "data-id" attribute in Bootstrap select elements
1460803 - Embedded Ansible role does not migrate cleanly to another appliance
1460805 - failure of "Embedded Ansible " fails to install prevents that from ever installing
1460807 - Access Web Console Cockpit not compatible with Windows VMs
1460808 - service dialog saving elements when switching elements - cancel only reverts current element
1460809 - [RFE] - Add 'Verbosity' drop down on both Provisioning & Retirement tabs for Playbook Catalog Items
1461070 - The IP version (network protocol) is not displayed when editing cloud subnets
1461103 - Missing unit on VMDB Utilization page
1461142 - Impossible to graph multiple data-series in Ad-hoc Metrics if they are on different pages
1461143 - Service Retirement not working properly for Orchestration Stacks due to missing zone.
1461144 - Use of the new create_service_provision_request method is inconsistent with other create_*_request methods
1461161 - Log Collection fails via IPv6
1461165 - Cancel button remains disabled in Add interface to router page
1461169 - Valid SCVMM file share not showing up as datastore on host.
1461183 - Service catalog service dialog refresh function in cf 4.2 behaves differently from cf 4.0
1461456 - Export button for Custom Reports doesn't work
1461460 - [ALL LANG] Compute-Clouds-Tenants has missing translations for menu and table entries
1461467 - default report with timelines "Operations VMs Powered On/Off for Last Week" doesn't include instance events
1461475 - 'Restart Guest' is available on Vm without VMTools from 'On' state
1461485 - Editing Infrastructure Providers and Hosts from a list returns to details screen instead of back to list
1461513 - CloudForms 4.1 Child tenants are allowed to view other child tenants Service Requests
1461522 - Validation error: ems/core not defined while ContainerGroups in the "Pending" state
1461535 - Maintenance mode flag not being set on SCVMM hosts.
1461541 - Reports - Number of Nodes per CPU cores - Wrong Name of report
1461558 - OpenShift smartstate errors -unknown access error to pod management-infra/manageiq-img-scan-7f243: #<Net::HTTPBadRequest:0x00000010422df8>
1461559 - Wrong RHV provider refresh error, when provider is down.
1461593 - subselection in access control role, not bubble up in tree display
1461596 - CloudForms Topology View shows Archived VMs
1461857 - provisioning from pxe fails when using ovirt sdk v4
1461860 - Add RHV provider using a bad hostname do not fail the validation in UI.
1461868 - [SDN][Tags] - Redirection to Network provider summary page page after tag is saved
1461869 - Tag Visibility | Cloud Stack: Tag is not added if stack list opened from provider detail page
1461956 - Reports - Number of Nodes per CPU cores - "Name" header
1461958 - it takes 10-20 sec to add column to new report when report is based on big fields set like Virtual Machines
1461988 - checkboxes on Control Policies->Event Assignments page aren't grouped/organized
1462287 - No spinner when waiting for Cloud Key Pair to save
1462309 - service now integrations for determining host_name return empty array
1462358 - Hourly metrics_## tables grow filling up the VMDB filesystem when real-time purges fail
1462361 - Openstack infra provider dashboard should not appear for an openstack infra provider
1462774 - VM provision via restapi fail, if the chosen data store name exist more than once in CFME.
1462779 - [Ansible Embedded] - Remove ssh keys fields from SCM credentials form
1462801 - Openshift refresh crashes due to template.objects being nil
1462844 - "" As a hawkular endpoint port passes validation, but prevents provider edit.
1462957 - [Microsoft]Reset option available from Details
1463275 - Add support for v4 of the RHV api in event monitoring
1463321 - Inconsistencies in Access Control for Automation - Ansible feature
1463381 - Replace nodejs010 with node from SCL in appliances
1463668 - Missing Memory graphs on Azure Availability zone Utilization page for daily interval
1463848 - static ipv6 primary DNS default fails
1464118 - VMRC does NOT work if CFME is accessed with IPv6 Address
1464151 - UI: Showing wrong flash message when "Check Compliance of Last Known Configuration"
1464153 - Floating IP: Cannot associate or disassociate a port
1464203 - Disk space issues when running upgrade from 5.7 to 5.8
1465448 - CVE-2017-7530 cfme: Execution of arbitrary methods through filter param
1466049 - SSUI : No Scroll bar to scroll to the bottom in service catalog page , Unable to provision service catalogs at the bottom
1466855 - Embedded ansible role fails to re-initialize after webui update
1468272 - Edit tag page doesn't work for filtered items
1468275 - [RFE] Trigger a refresh when adding/editing/deleting anything in CFME Block Storage(EBS)
1468281 - websocket connection leaks causing failed connections
1468285 - [CFME4.5]Configuring Multi-Region, Single LDAP Authentication, Synchronized RBAC/Resource.
1468292 - Navigation accordion on Cloud->Instances page fails
1468294 - SSUI : "Error loading Services" when clicked on "My Services"
1468295 - Non-admin users unable to see Catalog Items in SUI
1468296 - Display a warning for large number of objects in the Topology pages
1468336 - Unable to view Reports if a member has a custom Role - indefinite spinning wheel
1468337 - UI: infinispinner appears In the Report accordion
1468370 - Drop Down List Dialog does not keep default value for Integer type
1468376 - upgrade to CF 4.5 complains about "could not find nokogiri-1.6.8" during "rake db:migrate"
1468380 - Setting Start Page to Container/Explorer sets to URL to an invalid URL
1468700 - Azure refresh fails with private_ip_address property not found
1468703 - Azure refresh fails if provider has no orchestration stacks
1468729 - [Regression] Saved reports unavailable under Reports accordion
1469308 - Unable to select the Azure region UK South
1469560 - Collect container metrics is done until time.now instead of until end-time
1469653 - Some container resources not cleaned up after removal from Openshift - research
1469702 - performance issue in openstack collection
1470179 - the buttons of the html5 console do not work with windows vms
1470773 - [RFE] Buttons assigned to VMs should be available in Self Service UI
1470774 - in the self service portal after a little time displaying a vm, data changes to garbage data
1470800 - OSP: when validating an account with access to many projects, it checks each, and times out
1470812 - Validation Credentials fails for OSP 10 Provider with AD "domain" user
1470847 - Unexpected error encountered while switching maintabs to configuration manager provider
1471821 - Ansible tower job templates filters are not displayed
1472837 - [Regression] Error while generating Chargeback reports
1472841 - Setting static ipv6 address clears ipv4 address in appliance console.
1472842 - After setting ipv6 to dhcp its not possible to set it back to static
1473336 - Service Requests are not seen by user in Global Region
1473424 - Firewall rules prevent appliance from getting a dynamic IPv6 address
1473787 - Ansible workers not starting
1474504 - Unable to navigate through the service requests due to a template error on "split"
6. Package List:
CloudForms Management Engine 5.8:
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
The Red Hat security contact is <secalert redhat com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
[Date Prev][Date Next] [Thread Prev][Thread Next]