RedHat: RHSA-2018-2561:01 Important: CloudForms 4.6.4 security, bug fix,
Summary
Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.
Security Fix(es):
* cfme: Improper access control in dRuby allows local users to execute
arbitrary commands as root (CVE-2018-10905)
* rubygem-sprockets: Path traversal in forbidden_request?() can allow
remote attackers to read arbitrary files (CVE-2018-3760)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Red Hat would like to thank Stephen Gappinger (American Express) for
reporting CVE-2018-10905.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.
Summary
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2018-3760 https://access.redhat.com/security/cve/CVE-2018-10905 https://access.redhat.com/security/updates/classification/#important
Package List
CloudForms Management Engine 5.9:
Source:
cfme-5.9.4.7-1.el7cf.src.rpm
cfme-amazon-smartstate-5.9.4.7-1.el7cf.src.rpm
cfme-appliance-5.9.4.7-1.el7cf.src.rpm
cfme-gemset-5.9.4.7-1.el7cf.src.rpm
rh-postgresql95-postgresql-pglogical-2.1.0-4.el7cf.src.rpm
rh-ruby23-rubygem-redhat_access_cfme-2.0.3-1.el7cf.src.rpm
noarch:
rh-ruby23-rubygem-redhat_access_cfme-2.0.3-1.el7cf.noarch.rpm
rh-ruby23-rubygem-redhat_access_cfme-doc-2.0.3-1.el7cf.noarch.rpm
x86_64:
cfme-5.9.4.7-1.el7cf.x86_64.rpm
cfme-amazon-smartstate-5.9.4.7-1.el7cf.x86_64.rpm
cfme-appliance-5.9.4.7-1.el7cf.x86_64.rpm
cfme-appliance-common-5.9.4.7-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm
cfme-appliance-tools-5.9.4.7-1.el7cf.x86_64.rpm
cfme-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm
cfme-gemset-5.9.4.7-1.el7cf.x86_64.rpm
cfme-gemset-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm
rh-postgresql95-postgresql-pglogical-2.1.0-4.el7cf.x86_64.rpm
rh-postgresql95-postgresql-pglogical-debuginfo-2.1.0-4.el7cf.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update is now available for CloudForms Management Engine 5.9.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topic
Relevant Releases Architectures
CloudForms Management Engine 5.9 - noarch, x86_64
Bugs Fixed
1565259 - Requests originating from the API contain no 'userid' attribute in $evm.root
1588527 - Service dialog text, dialog element and button layout/spacing is incorrect in CloudForms 4.6
1591494 - [RFE] Add configuratble vhost to AMQP monitor
1591495 - Tag Expression form:The newly added category does't appear in expression form
1591496 - Expression methods can not access Flavor tags
1591497 - VMware Add Provider can validate VMRC Console credentials successfully for non-existing User
1593058 - CVE-2018-3760 rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files
1595416 - User that calls refresh automation domain from git branch is not correct user in UI
1595445 - Copying a method does not copy embedded methods that have been added
1595447 - Satellite credential validation times out with no error message
1595448 - Can't access new flavor page when accessed from cloud provider
1595450 - Quadicons in tagging screens should not be clickable
1595451 - task id not included on automation.log when logging from methods
1595454 - Disabling "Dashboard" under service UI for a role does not actually disable the dashboard
1595456 - Wrong Platform Attribute for OpenStack Provisioned Instance Showing Windows instead of Linux
1595461 - During metrics collection for a VMWare provider, SOAP exception occurs during queryAvailablePerfMetric for non-existent VM
1595776 - Dialogs should only run once
1598528 - [RFE] Automate - Expose max_retries override at instance level
1598532 - Generic objects class accordion is not display when locale is french
1598873 - Adding an Ansible Playbook button does not work correctly with Firefox (for Mac)
1599350 - Unable to access tower job .normalized_live_status because "wrong constant name ::Dev::Xvda"
1599353 - CloudForms : Wrong heading message while accessing Cloud Networks
1600191 - 502 Proxy Error
1600670 - Service Bundle retirement: retire_ now not implemented in subclass
1600738 - refresh methods stop being called after working for several days in the self service version of dialogs
1601587 - self service dynamic dialog droplist glitch
1601589 - Service Provision is Failing Because Last Auth Check Failed for Azure Provider
1602190 - CVE-2018-10905 cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root
1603022 - 404 error accessing OpenStack console
1603029 - required field blocks validation of a dialog after automation method called
1603031 - A custom button doesn't work on a service which has no parent catalog item associated with it.
1603058 - AD authentication failing cross region.
1603210 - Timepicker doesn't pass correct timing on service order
1607441 - Internal Server Error during filtering by flavor name in API
1608844 - after removing a zone, messages related to the zone linger in the database
1610055 - [RFE] CFME 5.9.4 - support ssh transport method
1610425 - Source and target network become zero after moving host to maintenance and activating it
1610685 - Service Dialog CheckBox has null value when not ticked by default
1611002 - SCVMM smartstate fails with undefined method `close' for nil:NilClass
1611660 - 'Refresh' button moves over the line when window is resized
1612062 - unable to view validation or cancelation buttons in dynamic dialogs tied to a Service button
1612856 - Browser title in reads "translation missing ..." in Portuguese
1612889 - [RFE] chargeback rates assigned to tags via multiple tag category assignations do not seem to get saved
1613295 - Report based on Chargeback for project fails with ERROR -- : [TypeError]: no implicit conversion from nil to integer Method:[block in method_missing]
1613387 - Tenant admins is not able to see newly created users1613757 - OSP provider refresh fail
1615633 - Edit tag: Cannot select second tag to items
1618219 - Remove resources field behaves erratic