-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: CloudForms 4.6.4 security, bug fix, and enhancement update
Advisory ID:       RHSA-2018:2561-01
Product:           Red Hat CloudForms
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2561
Issue date:        2018-09-04
Cross references:  RHSA-2018:34177
CVE Names:         CVE-2018-3760 CVE-2018-10905 
====================================================================
1. Summary:

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.9 - noarch, x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* cfme: Improper access control in dRuby allows local users to execute
arbitrary commands as root (CVE-2018-10905)

* rubygem-sprockets: Path traversal in forbidden_request?() can allow
remote attackers to read arbitrary files (CVE-2018-3760)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank Stephen Gappinger (American Express) for
reporting CVE-2018-10905.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1565259 - Requests originating from the API contain no 'userid' attribute in $evm.root
1588527 - Service dialog text, dialog element and button layout/spacing is incorrect in CloudForms 4.6
1591494 - [RFE] Add configuratble vhost to AMQP monitor
1591495 - Tag Expression form:The newly added category does't appear in expression form
1591496 - Expression methods can not access Flavor tags
1591497 - VMware Add Provider can validate VMRC Console credentials successfully for non-existing User
1593058 - CVE-2018-3760 rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files
1595416 - User that calls refresh automation domain from git branch is not correct user in UI
1595445 - Copying a method does not copy embedded methods that have been added
1595447 - Satellite credential validation times out with no error message
1595448 - Can't access new flavor page when accessed from cloud provider
1595450 - Quadicons in tagging screens should not be clickable
1595451 - task id not included on automation.log when logging from methods
1595454 - Disabling "Dashboard" under service UI for a role does not actually  disable the dashboard
1595456 - Wrong Platform Attribute for OpenStack Provisioned Instance Showing Windows instead of Linux
1595461 - During metrics collection for a VMWare provider, SOAP exception occurs during queryAvailablePerfMetric for non-existent VM
1595776 - Dialogs should only run once
1598528 - [RFE] Automate - Expose max_retries override at instance level
1598532 - Generic objects class accordion is not display when locale is french
1598873 - Adding an Ansible Playbook button does not work correctly with Firefox (for Mac)
1599350 - Unable to access tower job .normalized_live_status because "wrong constant name ::Dev::Xvda"
1599353 - CloudForms : Wrong heading message while accessing Cloud Networks
1600191 - 502 Proxy Error
1600670 - Service Bundle retirement: retire_ now not implemented in subclass
1600738 - refresh methods stop being called after working for several days in the self service version of dialogs
1601587 - self service dynamic dialog droplist glitch
1601589 - Service Provision is Failing Because Last Auth Check Failed for Azure Provider
1602190 - CVE-2018-10905 cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root
1603022 - 404 error accessing OpenStack console
1603029 - required field blocks validation of a dialog after automation method called
1603031 - A custom button doesn't work on a service which has no parent catalog item associated with it.
1603058 - AD authentication failing cross region.
1603210 - Timepicker doesn't pass correct timing on service order
1607441 - Internal Server Error during filtering by flavor name in API
1608844 - after removing a zone, messages related to the zone linger in the database
1610055 - [RFE] CFME 5.9.4 - support ssh transport method
1610425 - Source and target network become zero after moving host to maintenance and activating it
1610685 - Service Dialog CheckBox has null value when not ticked by default
1611002 - SCVMM smartstate fails with undefined method `close' for nil:NilClass
1611660 - 'Refresh' button moves over the line when window is resized
1612062 - unable to view validation or cancelation buttons in dynamic dialogs tied to a Service button
1612856 - Browser title in reads "translation missing ..." in Portuguese
1612889 - [RFE] chargeback rates assigned to tags via multiple tag category assignations do not seem to get saved
1613295 - Report based on Chargeback for project fails with ERROR -- : [TypeError]: no implicit conversion from nil to integer  Method:[block in method_missing]
1613387 - Tenant admins is not able to see newly created users1613757 - OSP provider refresh fail
1615633 - Edit tag: Cannot select second tag to items
1618219 - Remove resources field behaves erratic

6. Package List:

CloudForms Management Engine 5.9:

Source:
cfme-5.9.4.7-1.el7cf.src.rpm
cfme-amazon-smartstate-5.9.4.7-1.el7cf.src.rpm
cfme-appliance-5.9.4.7-1.el7cf.src.rpm
cfme-gemset-5.9.4.7-1.el7cf.src.rpm
rh-postgresql95-postgresql-pglogical-2.1.0-4.el7cf.src.rpm
rh-ruby23-rubygem-redhat_access_cfme-2.0.3-1.el7cf.src.rpm

noarch:
rh-ruby23-rubygem-redhat_access_cfme-2.0.3-1.el7cf.noarch.rpm
rh-ruby23-rubygem-redhat_access_cfme-doc-2.0.3-1.el7cf.noarch.rpm

x86_64:
cfme-5.9.4.7-1.el7cf.x86_64.rpm
cfme-amazon-smartstate-5.9.4.7-1.el7cf.x86_64.rpm
cfme-appliance-5.9.4.7-1.el7cf.x86_64.rpm
cfme-appliance-common-5.9.4.7-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm
cfme-appliance-tools-5.9.4.7-1.el7cf.x86_64.rpm
cfme-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm
cfme-gemset-5.9.4.7-1.el7cf.x86_64.rpm
cfme-gemset-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm
rh-postgresql95-postgresql-pglogical-2.1.0-4.el7cf.x86_64.rpm
rh-postgresql95-postgresql-pglogical-debuginfo-2.1.0-4.el7cf.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-3760
https://access.redhat.com/security/cve/CVE-2018-10905
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW47IZtzjgjWX9erEAQhuaBAAjcYrhESmgh3/OFH4t1rAQ/sYcuRYhopZ
0hmLtNhpyHlTx/VAqpkIS1a69uRlyeOc8/PfUh9zA7LZYRePRGA5/rMmsvyhoqV0
MDRsNMPU+sbSs8vLrvul+mAsTGkdHFAMXDB7Hay3gOntiCGU6vBX/AxfKRYkJjjU
RJvPIoos2auq+k2PXSOiKoQMzKWqgqQcvBdfZHhjqBxDD8xN+zKElUFbztHSUPS3
3CGw7jRrJAqjO4FmN62SNPWRxBGnw8Lzzj2N3gDd4IyxEd0EWjenaGfE4ZHY/yfF
TnQ5N3jhsw5Z5q3RuvXKfNl6Ke7bChWUQNZjoA+v4vKDUxL2y8EEQ2ZkLS8icUgR
ZzpCLeB8bPoNcWFv1BjEllfIA9bUZ7e7x7/ur5aykOOicsPJnGGFEZhCIYUzbe9b
7kdXKQIsfu+ru01GoIKY9dXLhWg/h1Q/lBRwh05qDHD0a6iyGV2RpQMvSbsTrJSq
Yjr7il+HBfgW2lFDzJFtO9kSWiRrsrgwY3C6rzLG6oJcu2hzV9APu5y21GxF8Qq0
7q20a9bUMxptcmRFqhqVj1K8rE+NKom0dKFhsihc97l/iKP9wo1fYFNDHfk8rVjL
MhH++1KHoLGIDxsU4ZF0fhSs82XG1TtXIbUYPe5dcjtnNoZBy9xwCdyttopOn2TY
D3HNNisehaA=0QPa
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2018-2561:01 Important: CloudForms 4.6.4 security, bug fix,

An update is now available for CloudForms Management Engine 5.9

Summary

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
Security Fix(es):
* cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root (CVE-2018-10905)
* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Stephen Gappinger (American Express) for reporting CVE-2018-10905.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.

Summary

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2018-3760 https://access.redhat.com/security/cve/CVE-2018-10905 https://access.redhat.com/security/updates/classification/#important

Package List

CloudForms Management Engine 5.9:
Source: cfme-5.9.4.7-1.el7cf.src.rpm cfme-amazon-smartstate-5.9.4.7-1.el7cf.src.rpm cfme-appliance-5.9.4.7-1.el7cf.src.rpm cfme-gemset-5.9.4.7-1.el7cf.src.rpm rh-postgresql95-postgresql-pglogical-2.1.0-4.el7cf.src.rpm rh-ruby23-rubygem-redhat_access_cfme-2.0.3-1.el7cf.src.rpm
noarch: rh-ruby23-rubygem-redhat_access_cfme-2.0.3-1.el7cf.noarch.rpm rh-ruby23-rubygem-redhat_access_cfme-doc-2.0.3-1.el7cf.noarch.rpm
x86_64: cfme-5.9.4.7-1.el7cf.x86_64.rpm cfme-amazon-smartstate-5.9.4.7-1.el7cf.x86_64.rpm cfme-appliance-5.9.4.7-1.el7cf.x86_64.rpm cfme-appliance-common-5.9.4.7-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm cfme-appliance-tools-5.9.4.7-1.el7cf.x86_64.rpm cfme-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm cfme-gemset-5.9.4.7-1.el7cf.x86_64.rpm cfme-gemset-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm rh-postgresql95-postgresql-pglogical-2.1.0-4.el7cf.x86_64.rpm rh-postgresql95-postgresql-pglogical-debuginfo-2.1.0-4.el7cf.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity

Advisory ID: RHSA-2018:2561-01

Product: Red Hat CloudForms

Advisory URL: https://access.redhat.com/errata/RHSA-2018:2561

Issued Date: : 2018-09-04

Cross references: RHSA-2018:34177

CVE Names: CVE-2018-3760 CVE-2018-10905

Topic

An update is now available for CloudForms Management Engine 5.9.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topic

Relevant Releases Architectures

CloudForms Management Engine 5.9 - noarch, x86_64

Bugs Fixed

1565259 - Requests originating from the API contain no 'userid' attribute in $evm.root

1588527 - Service dialog text, dialog element and button layout/spacing is incorrect in CloudForms 4.6

1591494 - [RFE] Add configuratble vhost to AMQP monitor

1591495 - Tag Expression form:The newly added category does't appear in expression form

1591496 - Expression methods can not access Flavor tags

1591497 - VMware Add Provider can validate VMRC Console credentials successfully for non-existing User

1593058 - CVE-2018-3760 rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files

1595416 - User that calls refresh automation domain from git branch is not correct user in UI

1595445 - Copying a method does not copy embedded methods that have been added

1595447 - Satellite credential validation times out with no error message

1595448 - Can't access new flavor page when accessed from cloud provider

1595450 - Quadicons in tagging screens should not be clickable

1595451 - task id not included on automation.log when logging from methods

1595454 - Disabling "Dashboard" under service UI for a role does not actually disable the dashboard

1595456 - Wrong Platform Attribute for OpenStack Provisioned Instance Showing Windows instead of Linux

1595461 - During metrics collection for a VMWare provider, SOAP exception occurs during queryAvailablePerfMetric for non-existent VM

1595776 - Dialogs should only run once

1598528 - [RFE] Automate - Expose max_retries override at instance level

1598532 - Generic objects class accordion is not display when locale is french

1598873 - Adding an Ansible Playbook button does not work correctly with Firefox (for Mac)

1599350 - Unable to access tower job .normalized_live_status because "wrong constant name ::Dev::Xvda"

1599353 - CloudForms : Wrong heading message while accessing Cloud Networks

1600191 - 502 Proxy Error

1600670 - Service Bundle retirement: retire_ now not implemented in subclass

1600738 - refresh methods stop being called after working for several days in the self service version of dialogs

1601587 - self service dynamic dialog droplist glitch

1601589 - Service Provision is Failing Because Last Auth Check Failed for Azure Provider

1602190 - CVE-2018-10905 cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root

1603022 - 404 error accessing OpenStack console

1603029 - required field blocks validation of a dialog after automation method called

1603031 - A custom button doesn't work on a service which has no parent catalog item associated with it.

1603058 - AD authentication failing cross region.

1603210 - Timepicker doesn't pass correct timing on service order

1607441 - Internal Server Error during filtering by flavor name in API

1608844 - after removing a zone, messages related to the zone linger in the database

1610055 - [RFE] CFME 5.9.4 - support ssh transport method

1610425 - Source and target network become zero after moving host to maintenance and activating it

1610685 - Service Dialog CheckBox has null value when not ticked by default

1611002 - SCVMM smartstate fails with undefined method `close' for nil:NilClass

1611660 - 'Refresh' button moves over the line when window is resized

1612062 - unable to view validation or cancelation buttons in dynamic dialogs tied to a Service button

1612856 - Browser title in reads "translation missing ..." in Portuguese

1612889 - [RFE] chargeback rates assigned to tags via multiple tag category assignations do not seem to get saved

1613295 - Report based on Chargeback for project fails with ERROR -- : [TypeError]: no implicit conversion from nil to integer Method:[block in method_missing]

1613387 - Tenant admins is not able to see newly created users1613757 - OSP provider refresh fail

1615633 - Edit tag: Cannot select second tag to items

1618219 - Remove resources field behaves erratic

Get the Latest News & Insights