RedHat: RHSA-2018-2745:01 Important: CloudForms 4.5.5 security,
Summary
Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Security Fix(es):
* rubygem-sprockets: Path traversal in forbidden_request?() can allow
remote attackers to read arbitrary files (CVE-2018-3760)
* cfme: Improper access control in dRuby allows local users to execute
arbitrary commands as root (CVE-2018-10905)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Red Hat would like to thank Stephen Gappinger (American Express) for
reporting CVE-2018-10905.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2018-3760 https://access.redhat.com/security/cve/CVE-2018-10905 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html/release_notes
Package List
CloudForms Management Engine 5.8:
Source:
cfme-5.8.5.1-1.el7cf.src.rpm
cfme-appliance-5.8.5.1-1.el7cf.src.rpm
cfme-gemset-5.8.5.1-1.el7cf.src.rpm
rh-postgresql95-postgresql-pglogical-1.2.1-2.el7cf.src.rpm
x86_64:
ansible-tower-server-3.1.8-1.el7at.x86_64.rpm
ansible-tower-setup-3.1.8-1.el7at.x86_64.rpm
cfme-5.8.5.1-1.el7cf.x86_64.rpm
cfme-appliance-5.8.5.1-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.8.5.1-1.el7cf.x86_64.rpm
cfme-debuginfo-5.8.5.1-1.el7cf.x86_64.rpm
cfme-gemset-5.8.5.1-1.el7cf.x86_64.rpm
rh-postgresql95-postgresql-pglogical-1.2.1-2.el7cf.x86_64.rpm
rh-postgresql95-postgresql-pglogical-debuginfo-1.2.1-2.el7cf.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update is now available for CloudForms Management Engine 5.8.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topic
Relevant Releases Architectures
CloudForms Management Engine 5.8 - x86_64
Bugs Fixed
1586214 - Notification events are out of order
1590761 - active ansible services are not displaying details on selection
1591443 - [Embedded Ansible] Service Details Page has duplicate tabs
1593058 - CVE-2018-3760 rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files
1593353 - Can't edit selected router at the Networks -> Network Routers page
1593678 - Chargeback scheduled report for the current month shows double rates and values as compared to previous one
1593798 - Lifecycle VM Provision and Publish VM to Template Unusable/Slow
1593914 - Storage profiles causing refresh to exceed 30+ minutes
1594008 - Provisioning to RHV 4.1 Max Memory Size Needs to be Adjusted as Necesary
1594028 - reports do not generate with timeout errors in logs
1594326 - Must Refresh UI to see Correct Tags of Datastore of vCenter VMware Provider
1594387 - Unable to download largest chargeback report on production
1595457 - Wrong Platform Attribute for OpenStack Provisioned Instance Showing Windows instead of Linux
1595462 - During metrics collection for a VMWare provider, SOAP exception occurs during queryAvailablePerfMetric for non-existent VM
1595771 - OSPD 13 Undercloud - Infrastructure Provider Credential validation Failed
1596336 - [Regression] GCE provider refresh fails in CFME 5.9
1602190 - CVE-2018-10905 cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root
1607442 - Internal Server Error during filtering by flavor name in API
1608849 - after removing a zone, messages related to the zone linger in the database
1613388 - Tenant admins is not able to see newly created users1613758 - OSP provider refresh fail
1622632 - reports using "group by" on date show a total column per vm instead of showing a total at the end of the report
1623574 - unable to add disk to vm via rest-api vm reconfiguration on vmware [request backport from existing commit]
1625250 - Read Action Forbidden When User Tries to Attach Cloud Volume OpenStack
1626475 - Handle service retirement date in service dialog
1626502 - Database replication stops working