-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: CloudForms 4.6.2 bug fix and enhancement update
Advisory ID:       RHSA-2018:1328-01
Product:           Red Hat CloudForms
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:1328
Issue date:        2018-05-07
Cross references:  RHBA-2018:0556
CVE Names:         CVE-2018-1101 CVE-2018-1104 CVE-2018-7750 
====================================================================
1. Summary:

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.9 - noarch, x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* python-paramiko: Authentication bypass in transport.py (CVE-2018-7750)

* ansible-tower: Privilege escalation flaw allows for organization admins
to obtain system privileges (CVE-2018-1101)

Red Hat would like to thank Graham Mainwaring of Red Hat for reporting
CVE-2018-1101.

* ansible-tower: Remote code execution by users with access to define
variables in job templates (CVE-2018-1104)

Red Hat would like to thank Simon Vikström for reporting CVE-2018-1104.

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Additional Changes:

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes
document linked to in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1495849 - [ALL_LANG] VM or Template comparison screen has untranslated entries.
1510499 - With RHV Graph refresh template numbers in Provider inventory does not get updated correctly.
1526086 - [ALL_LANG] Compute - Containers - Container Builds page has missing translations
1526088 - [ALL_LANG] Compute - Containers - Pods page has missing translations
1530680 - xClarity: EvmRole-operator unable to view physical server summary page
1530760 - [ALL_LANG] Control - Explorer - Policy Profiles - All Policy Profiles : 'Policy' is not localized
1533220 - [ALL_LANG] Control - Explorer - Actions - All Actions - Configure - Add a new Action : 'Action Type' drop-down menu has untranslated entries
1533233 - On Tag Assignment  page Category has other Tags than preconfigured for it
1533515 - [ALL_LANG] User Icon - Configuration - Access Control - Roles : Add new Role has untranslated entries
1538094 - [ALL_LANG] User Icon - Tasks : untranslated entry
1538100 - [ALL_LANG] User Icon - Configuration - Settings - CFME Region: Region xx[xx] has untranslated entry
1549625 - webui updates failing when a proxy is required
1549722 - WebUI: Tool tip displays html code while setting the ownership for multiple vm's
1550728 - Replication configuration page does not open when child database is down
1550730 - [Ansible Embedded] - Embedded Ansible cannot be enabled on IPv6 only appliance
1550736 - unable to view quotas without manage quota permissoin being enabled in 5.8.2
1551692 - internal server error ActiveRecord::AssociationTypeMismatch when editing current_group
1551696 - Colons are unhandled in BaseModel key generation in AzureArmrest
1551698 - Not possible to configure GCE provider for new regions (southamerica-east1) on CFME
1551703 - RHOS: Unable to delete cloud tenant
1552266 - Duplicated choice exist in new alerts view
1552269 - Network router type string contains ManageIQ path
1552278 - Authentication issue for checking status of Task API via EvmRole_administrator privileged User
1552282 - [RFE] Make Automation State Machine Log Lines Uniform
1552288 - [RFE] Metrics for memory usage of AWS instances is missing from C&U
1552290 - AWS Smartstate Does Not Fail Gracefully if AMI To run Analysis Agent is Unavailable
1552301 - Azure Template to service Dialog conversion issue
1552303 - [Azure]Provision Multiple VMs with Public IP selection options
1552305 - GCE Region is useless in GCE Provider
1552323 - xClarity:  server-host relationship to hosts managed by RHEV-M provider not created.
1552334 - Nuage provider name is always displayed as " Network Manager" on GUI
1552335 - EventCatcher is not restarted when Nuage provider is updated
1552671 - [RFE][XS-2] Add possibility to unregister a VM in RHV provider
1552673 - Cloudforms doesn't show IP of vms on vCloud provider
1552677 - VM does not have deletion event on its own timeline on vsphere55
1552704 - Default Docker Labels for Labeled Images in Chargeback Assignments
1552707 - Wrong error displayed when trying to add a group without a name
1552723 - Can't Manage Report Menu Accordions and Folders1552735 - Filters not working properly in config mgmt configured systems
1552737 - UI: Broken bootstrapswitch design in custom button option of generic object
1552739 - [RFE] Expose Infra provider networks (RHOS) in host/node details
1552740 - [ALL_LANG] User Icon - Configuration - Settings - Schedules : Add a new Schedule page has untranslated entries
1552741 - Can't remove multiple instances or methods in UI.
1552743 - ui: Tabs switched When changing the System/Process type on add new button page
1552746 - typo in provider summary page: metrics type Hakular  Hawkular
1552748 - [Embedded Ansible] Notification typo
1552753 - CFME Log lines in Diagnostics are divided into multiple lines
1552762 - Error when applying a filter in My Services from Adv search
1552763 - Remove Chargeback Rates field for Metering reports
1552776 - Auth MIQLDAP AD - miqldap_to_sssd conversion fails for ldap.
1552782 - Smartstate on Azure Managed Linux Instance returns Unable to mount filesystem.  Reason:[XFS::DirectoryDataHeader: Invalid Magic Number 0]
1552783 - Unable to add playbook repos after webui update
1552785 - Auth MIQLDAP AD - Users can't log in to console after miqldap_to_sssd conversion
1552790 - Validating credentials for replication throws error if pglogical schema not created
1552791 - miqldap_to_sssd help message is incorrect
1552792 - Auth External Auth SAML - Users with custom groups with special chars can't log in.
1552794 - A control alert for real time performance of a VM and Instance is not firing
1552796 - [RFE] Chargeback reports for OpenStack tenants
1552798 - [Providers] - Instances not linked after provider removal/addition
1552800 - Retirement requester is not passed down correctly to automate
1552801 - RBAC doesn't work for notifications
1552802 - No notification for failed registration
1552804 - configure_server_settings.rb changes numeric values to strings, causing failures when other code is expecting integers1552809 - [RFE] Support RestAPI Primary Collection for Containers (object)
1552817 - SUI doesn't display costs for SCVMM services
1552824 - Can Add Duplicate Custom Attributes on OpenShift Provider Via the API
1552826 - internal server error when cloud_networks, cloud_subnets or security_groups subcolls requested on RHEVM
1552828 - internal server error when accessing attributes of the "picture" resource
1552838 - Targeted folder refresh doesn't work on VMware
1552842 - Customize vApp template prior provisioning (VMware vCloud Provider)
1552873 - RBAC Users can be removed from all associated groups after the webui shows the error "A User must be assigned to a Group"
1552879 - Tagging broken in Datastores and My Services page
1552880 - [RFE] There is no any indication in replication subscription screen for not accessible remote node
1552882 - The quad-icon tile for an OpenShift provider shows an exclamation mark, but a mouseover shows "Refresh Status: Success"
1552884 - Cursor on password field instead of username when we enter incorrect login details
1552886 - Unwanted comma in disk type string for Azure instances
1552889 - containers: identical volume name for different volumes in different pods is not useful for users (at least not admin)
1552890 - Tagging: Edit tags page doesn't open for network list items navigated through parent details page
1552895 - Error updating Nuage provider
1552900 - Title does not update when searching text in Datastores and other pages
1552903 - Automate tree in the left pane has duplicates following any copy operation (instance, class, namespace)
1552904 - The accordion folds after adding a schedule
1552908 - Add button is not responsive on Role add page
1553191 - Timelines: Throws an error while trying to access Cloud Intel/Timelines
1553197 - Configuration -> Red Hat Updates tab does not list all required repositories
1553214 - JavaScript-UI: Wrong behavior of `display on button` checkbox while editing custom group form
1553224 - Set Ownership can not be changed back to default
1553241 - Container add provider empty flash message when not catch UI exception
1553242 - Tag: All Catalog Items are listed in resource dropdown while creating Catalog Bundle using restricted user
1553243 - Save button isn't activated when date is removed in VM "Set/Remove retirement date"
1553244 - [QEDevCollab] Components in 'Add button group' form causing test automation failures
1553251 - Chargeback Rates page title incorrect after deleting rate
1553288 - Flash message icon is not correct Bottlenecks page
1553295 - Unable to perform SSA if Vm storage is fileshare on SCVMM and throws error in evm.log
1553304 - Evacuate Host failed
1553307 - Undefined method `vmm_version' for nil:NilClass on VM summary screen
1553309 - [RFE] Generic objects not displayed
1553311 - Wrong 'Fixed IPs' font size while adding a router with external gateway
1553315 - C & U Collection settings in configuration page improper styling
1553316 - On schedules pages is shown pagination from analysis profiles
1553317 - Broken footer in alerts
1553319 - [RFE][S-3] UI displays disabled domains for a instance's domain priority
1553322 - audit.log should not contain translated messages
1553323 - Adding Interface to Router with user in Tenant show all Subnets and not only the Tenant's Subnet
1553326 - Switch icon is missed on tag assignment page
1553327 - Stack Outputs icon is not displayed
1553329 - Using webmks console one cannot type correctly the password when it contains special characters1553336 - Default view settings fails for service catalogs
1553340 - [CONDITION] When we leave description blank, there are two identical flash messages.
1553345 - Openstack infra provider dashboard should not appear for an openstack infra provider
1553362 - Add miqssh utilities
1553384 - [RHV] VM Reconfigure: Down VM Memory increase fail on cannot exceed maximum memory
1553389 - VMware vCloud Provider's VM is only partially stopped/suspended
1553392 - EvmRole-auditor can perform actions on VM
1553393 - [RFE] Add RBAC and Tagging Support to Ansible Credentials.
1553396 - [RFE] Add RBAC and Tagging Support to Ansible Repos
1553397 - Error while checking that migrations are up to date
1553399 - Normalize text for operational alerts
1553480 - SUI : Clicking any link on dashboard does not change the navigation in left side
1553482 - Kebab menu appearing differently on service page and resource detail pages
1553483 - Kebab menu changes structure after 30 seconds in SSUI resource detail page
1553768 - [RFE] Add RBAC and Tagging Support to Ansible Playbooks
1553776 - Role inconsistency with privileges when creating reports and setting chargeback filters1553779 - Restricted user can see all group and users1553780 - notifications do not get cleared from the notification table
1553789 - Unable to add tag for configuration provider from 'All Rad Hat Satellites Providers'
1553791 - xClarity: Physical server summary page download as PDF button not supported
1553836 - Visibility expression does not evaluated correctly on custom buttons for Generic Object
1553873 - Missing Datastore Images
1553903 - [Regression] Backup/restore failing on appliances using pglogical
1554358 - Graph refresh should not be used for rhv36 providers1554370 - Wrong breadcrumb link on order screen
1554454 - Adding a physical provider shows as infrastructure provider (text change)
1554532 - Schedule report fails to send mail when report is not empty
1554541 - Long time to refresh network provider on OpenStack
1554823 - Infinite spinner on Edit Playbook Reset button
1554825 - NTP server details doesn't show in UI after adding a new zone
1554832 - Automatic placement causes cloud tenant to not be selectable
1554839 - Policy simulation results are not displayed
1554889 - OpenStack Cinder Storage provider detail does not have link to Volume Backups
1554898 - when deleting an archived node using configure > remove a unknown method error is raised
1554901 - Missing Guest OS in dashboard reports in Openstack
1557130 - CVE-2018-7750 python-paramiko: Authentication bypass in transport.py
1557353 - Adding a network router via CloudForms the router is not seen by CloudForms
1557361 - [RFE][XS-2]Cloudforms does not show node hostname, only GUID for OpenStack Infrastructure Provider
1557367 - Request not required when adding Schedule
1557378 - [UI] There is no indication of cloud network delete operation
1557380 - Tagging: Edit tags page doesn't open for images opened from provider summary page
1557388 - Inconsistent capitalization of 'CPU' when creating chargeback rate
1557391 - Physical Infrastructure provider quadicons doesn't support single view
1557400 - Physical server quadicon switch under My Settings doesn't respect RBAC rules
1558030 - internal server error when accessing the "policy_events" attribute of the "vms" resource
1558038 - AWS flavor list is out of date
1558040 - Not able to scan instances in AWS
1558046 - OpenStack - Include Provider Error Message in MiqProvisionFailure
1558048 - Provision fails if no Subnet assigned not Cloud Network
1558078 - [RFE][M-5] Targeted Refresh for Azure Provider
1558092 - Dropdown to delete a "not responding" server is missing
1558142 - Network provider quadicons doesn't support single view
1558144 - UI inconsistency - Size Unit title missing when adding a new disk
1558544 - Creating buttons under the Datastore objects do not appear on Datastore Details Pages
1558594 - No event AWS_EC2_Instance_UPDATE  when renaming a VM on EC2
1558610 - Images from the webmks css causes CSP errors in browser console
1558621 - RedHat domain can be edited/deleted
1558626 - PG::InvalidTableDefinition: ERROR:  cannot alter inherited column "resource_type
1559475 - CUI returning empty array when dialog without associations is saved
1559479 - [RFE] Add RHV Credential to Ansible Automation Inside
1559483 - CUI doesn't check dialog field associations
1559543 - [RFE] Metering Reports should provide Hours of Existence & Start and end time of VMs, Projects and Images
1559544 - [RFE] Collect Container Project Quota Historical data in Project Roll-up
1559550 - Regression Instance Method check_quota Throws Error 5.8.2 to 5.8.3 undefined method provisioned_storage
1559552 - Api::ServiceCatalogsController timeout error in multi-regional environment
1559609 - Amazon agent deployment has to choose the VPC which has attached gateway configuration
1559624 - Graph refresh does not fetch custom attributes
1560004 - [RFE] SCVMM provider refresh error message issue if provider user doesn't have access to VMM service
1560096 - Error occurs when trying to edit a catalog item
1560098 - Outgoing SMTP E-mail Server settings not saved on first attempt
1560100 - Total matches of Ems Cluster roles showing wrong count
1560104 - Automate Schedule: "Starting time" field saves nonsense.
1560692 - Stop CF pestering OpenStack for Swift status when there is no Swift.
1560699 - Consolidated RefreshWorkers may cause job starvation
1560703 - Refresh is broken for ec2 when get_public_images is set to true
1560708 - My Company(All EVM Groups) filter missing from reports schedule
1561076 - Duplicate RBAC Role and Group names allowed when using different capitalization from the original name
1561079 - [Regression]Error with report policy event for the last 7 days
1561085 - [RFE] Azure Network router not displayed on CFMe
1561091 - List view displayed instead of grid on Manage Policies screen
1561096 - Default selected tag name / value mismatch when assigning tags
1561107 - ERROR -- : AnsibleTowerClient::Middleware::RaiseTowerError Response Body: {"detail"=>["'username' is not a valid field for Vault"]}
1561216 - Failure to refresh on OpenStack provider when Fog::Storage::OpenStack::File object has nil body attribute
1561218 - [RHV] PXE provision with Network "use template nics" fail on creating VM
1561222 - ping feature inconsistent with webui ping when database connectivity is lost
1562075 - Duplicate values are shown in dialog dropdown.
1562235 - Nics are Provisioned out of Order for VMware Service Provision
1562772 - tenant source_id compromisation after changing provider credentials
1562777 - Approval permissions are not followed between different groups
1562779 - Cannot create service template using the API
1562780 - [SCVMM]Extract Running Processes completed Task List does not inform about Warnings.
1562782 - A state machine's on_exit method runs before the main method if the main method is an embedded Ansible playbook
1562785 - Refresh failed after performing vm_reconfiguration_task
1562788 - [Regression] RHV provider discovery doesn't work
1562791 - Database Replication broken for current and new regions
1562797 - CFME - usage of non standard special characters (e.g. accents) in password causes user is not able to login
1562800 - Schedule Operation: Cannot create schedule, "Add" button is not active
1562803 - [RFE] CFME, add Ansible GIT repository custom SSH port option
1562811 - No Advanced Search in Volume Snapshots/Backups
1563268 - CloudForms appliance is ignoring azure proxy settings in advanced tab.
1563351 - Nuage provider is unable to refresh inventory when subnets are missing gateway address
1563358 - Nuage Networks provider does not handle empty AMQP details
1563359 - Nuage Provider doesn't capture Alarms
1563361 - Nuage provider's event catcher yields "Too many open files" after 9 hours1563363 - VMware vCloud Provider's inventoring fails because of bug in Disk parsing
1563364 - Support console access for VMware vCloud Provider's VMs
1563492 - CVE-2018-1101 ansible-tower: Privilege escalation flaw allows for organization admins to obtain system privileges
1563731 - in the conditions screen you see "Container Node" on the left but "Node" on the right
1563740 - ReconfigVM Event triggers a refresh_sync Holding Automate Process in State Machine
1565139 - Some expression method definitions can fail with "