RedHat: RHSA-2018-3466:01 Moderate: CloudForms 4.6.5 security,
Summary
Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.
Security Fix(es):
* rubyzip: arbitrary file write vulnerability / arbitrary code execution
using a specially crafted zip file (CVE-2018-1000544)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2018-1000544 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.6/html/release_notes
Package List
CloudForms Management Engine 5.9:
Source:
ansible-tower-3.2.7-1.el7at.src.rpm
cfme-5.9.5.3-1.el7cf.src.rpm
cfme-amazon-smartstate-5.9.5.3-1.el7cf.src.rpm
cfme-appliance-5.9.5.3-1.el7cf.src.rpm
cfme-gemset-5.9.5.3-1.el7cf.src.rpm
x86_64:
ansible-tower-3.2.7-1.el7at.x86_64.rpm
ansible-tower-server-3.2.7-1.el7at.x86_64.rpm
ansible-tower-setup-3.2.7-1.el7at.x86_64.rpm
ansible-tower-ui-3.2.7-1.el7at.x86_64.rpm
ansible-tower-venv-ansible-3.2.7-1.el7at.x86_64.rpm
ansible-tower-venv-tower-3.2.7-1.el7at.x86_64.rpm
cfme-5.9.5.3-1.el7cf.x86_64.rpm
cfme-amazon-smartstate-5.9.5.3-1.el7cf.x86_64.rpm
cfme-appliance-5.9.5.3-1.el7cf.x86_64.rpm
cfme-appliance-common-5.9.5.3-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.9.5.3-1.el7cf.x86_64.rpm
cfme-appliance-tools-5.9.5.3-1.el7cf.x86_64.rpm
cfme-debuginfo-5.9.5.3-1.el7cf.x86_64.rpm
cfme-gemset-5.9.5.3-1.el7cf.x86_64.rpm
cfme-gemset-debuginfo-5.9.5.3-1.el7cf.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update is now available for CloudForms Management Engine 5.9.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
CloudForms Management Engine 5.9 - x86_64
Bugs Fixed
1592571 - Service Dialog Editor localization in French Incomplete
1593001 - CVE-2018-1000544 rubyzip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file
1599349 - API with an invalid zone name kill the appliance
1603026 - Vim Performance States Table Causing Region to Lock up During a Vacuum
1607409 - The remote_ws_url value does not failover if the appliance is stopped, so "api_url" can be incorrect in an Ansible playbook
1607438 - Alerts do not trigger and do not send email notification
1608368 - Ansible Jobs Causing State Machine to Fail due to Inactivity Threshold Exceeding 0
1608770 - custom buttom page empty
1612905 - internal server error when cloud_tenants or flavors subcollection is requested on infra provider
1613333 - Couldn't find EmsFolder with 'id'
1613420 - OpenStack deletion gives problem
1615465 - Using database wildcard `%25` in VM queries causes exception, returns 500 to client
1618800 - Open URL Does Not Work When Using a DIalog with a Button
1618805 - CloudForms tries to collect metrics from OCP despite not being configured for it
1618807 - [RFE] Restore VM ownership and retirement during migration
1618808 - Migrations linking jobs and miq_tasks could take long time when upgrading to 5.9
1619431 - [v2v] Network Missing in Infra Mapping
1619654 - [v2v] Schedule Unschedule Migration does not seem to work correctly
1621441 - Change VMware URI to connect directly to ESXi
1621445 - Default Dashboard can't be updated
1621449 - Fix displaying disk type of a VM created from template and passing clone parameter to RHV
1622631 - reports using "group by" on date show a total column per vm instead of showing a total at the end of the report
1622652 - Service Retirement runs twice for direct service children
1623557 - virt-v2v Fails with IMS when Using AD Credentials for VMware Provider
1623559 - [RFE] Add state_machine_phase attribute to transformation state machines
1623560 - Dynamic Text Area and Text Box Elements Load Even Though Load on Init is not Marked
1623561 - displaying -Child Orchestration Stacks- throwing UI error
1623563 - unable to generate chargeback based on metering for vms with traceback in logs
1623565 - Add log messages to Chargeback
1623573 - unable to add disk to vm via rest-api vm reconfiguration on vmware [request backport from existing commit]
1623582 - Change in chargeback report logging output
1625249 - Read Action Forbidden When User Tries to Attach Cloud Volume OpenStack
1625323 - UI breaks when viewing instance details.
1625376 - Wrong timezone when selecting retirement time
1626143 - Storage Domain ignored on provisioning
1626219 - nuage refresh fails - undefined method `[]' ... security_groups
1626474 - Handle service retirement date in service dialog
1628348 - Update to Azure Government endpoint
1628657 - Unable to retry Embedded Ansible method in a state machine
1629089 - [RFE] Add more RAM options size to life cycle dialog
1629090 - [SSUI] Able to create snapshot with memory on powered down VM
1629094 - Make the checkbox column in the column view not click-able
1629121 - When a button is for 'single and list' or 'list' and has a visibility expression, the button does not display in the list view even when all VMs in the list meet the expression
1629124 - giving volume name shouldn't be mandatory in case of Openstack instance provisioning
1629125 - OSP domain user seen objects from other domain tenants
1629126 - [RFE] Add support to oVirt provider to set VM memory and CPU
1629127 - UI Monitor Alerts page is slow to load and when clicking on link it shows blank page with no alerts
1629129 - Cannot add Ansible Tower or refresh already added Ansible Tower
1629897 - Memory threshold set from Workers tab doesn't work
1630938 - Refactor restoring VM attributes during migration
1631557 - Unable to provision VM with "choose automatic option"
1631817 - Not able to access Openstack instance console from selfservice portal
1632769 - Triggered Refresh Still Occurs for Dialog After Changing Type to Static
1634032 - To be able to add and create reports, the edit report role is needed.
1634808 - Password hashes in Automate Log
1635038 - VMware vCloud Provider's vApp Provisioning Dialog Cannot be Submitted
1635764 - Power management via API falling into the wrong zone leading to permanently queued requests
1637035 - Add transformation utils methods
1637185 - [RHV] ISO provisioning fails with undefined SDK method
1637720 - Unable to see chargeback rate under rates accordion
1638684 - VMware vCloud Provider's vApp Service Cannot be Fully Retired
1639300 - Unable to perform chargeback assignments for compute
1639413 - When ordering a service via the API the service dialog is not executed
1639877 - Can't change Server's Zone
1641670 - [regression][Custom Button] Unexpected error encountered in infrastructure and datastore object type when method and dialog both attached
1641810 - undefined method `find_tagged_with' for #