Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2014:0215 - Security Advisory
Issued:
2014-03-11
Updated:
2014-03-11

RHSA-2014:0215 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Critical: cfme security, bug fix, and enhancement update

Type/Severity

Security Advisory: Critical

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated cfme packages that fix multiple security issues, several bugs, and
add various enhancements are now available for Red Hat CloudForms 3.0.

The Red Hat Security Response Team has rated this update as having Critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and
automation enterprises need to address the challenges of managing virtual
environments, which are far more complex than physical ones. This
technology enables enterprises with existing virtual infrastructures
to improve visibility and control, and those just starting virtualization
deployments to build and operate a well-managed virtual infrastructure.

A buffer overflow flaw was found in the way Ruby parsed floating point
numbers from their text representation. If an application using Ruby
accepted untrusted input strings and converted them to floating point
numbers, an attacker able to provide such input could cause the application
to crash or, possibly, execute arbitrary code with the privileges of the
application. (CVE-2013-4164)

It was found that Red Hat CloudForms Management Engine did not properly
sanitize user-supplied values in the ServiceController. A remote attacker
could invoke arbitrary method calls in the application controller that, due
to a lack of sanitization, could allow access to private methods that could
possibly allow the attacker to execute arbitrary code on the host system.
(CVE-2014-0057)

It was found that several number conversion helpers in Action View did not
properly escape all their parameters. An attacker could use these flaws to
perform a cross-site scripting (XSS) attack on an application that uses
data submitted by a user as parameters to the affected helpers.
(CVE-2014-0081)

A memory consumption issue was discovered in the text rendering component
of Action View. A remote attacker could use this flaw to perform a denial
of service attack by sending specially crafted queries that would result in
the creation of Ruby symbols that were never garbage collected.
(CVE-2014-0082)

Red Hat would like to thank the Ruby on Rails Project for reporting
CVE-2014-0081 and CVE-2014-0082. Upstream acknowledges Kevin Reintjes as
the original reporter of CVE-2014-0081, and Toby Hsieh of SlideShare as the
original reporter of CVE-2014-0082. The CVE-2014-0057 issue was discovered
by Jan Rusnacko of the Red Hat Product Security Team.

This update fixes several bugs and adds multiple enhancements.
Documentation for these changes will be available shortly from the Red Hat
CloudForms 3.0 Management Engine 5.2 Technical Notes linked to in the
References section.

All users of Red Hat CloudForms are advised to upgrade to these updated
packages, which contain backported patches to correct these issues and add
these enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

  • Red Hat CloudForms 3.0 x86_64

Fixes

  • BZ - 1033460 - CVE-2013-4164 ruby: heap overflow in floating point parsing
  • BZ - 1064140 - CVE-2014-0057 CFME: Dangerous send in ServiceController
  • BZ - 1065520 - CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability
  • BZ - 1065538 - CVE-2014-0082 rubygem-actionpack: Action View string handling denial of service

CVEs

  • CVE-2013-4164
  • CVE-2014-0081
  • CVE-2014-0057
  • CVE-2014-0082
  • CVE-2013-0186

References

  • https://access.redhat.com/security/updates/classification/#critical
  • https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat CloudForms 3.0

SRPM
ruby193-ruby-1.9.3.448-40.1.el6.src.rpm SHA-256: 7b3e951d58225c7ccd26d19969e7b0a9a21462d8336ce6ac0b42e25458abbdc4
ruby193-rubygem-amq-protocol-1.9.2-3.el6cf.src.rpm SHA-256: 3a2f307cc0924c515f067645ac1a195cb0070e100e3be63470f52138d320cf82
ruby193-rubygem-bunny-1.0.7-1.el6cf.src.rpm SHA-256: 67e16fe0d3b3486b0499d501c78c92362cc18486c63d70cc5902710195dc677d
ruby193-rubygem-excon-0.31.0-1.el6cf.src.rpm SHA-256: 038d45a9a3260e97d8dde83a5cb46be2bb784e868e36bf8d72b71f6d24e31b16
ruby193-rubygem-fog-1.19.0-1.el6cf.src.rpm SHA-256: bceeeb0690e4e5a15d1e4ed2e0ad82373e88b313a2e8f0d5762392525cfa07cb
ruby193-rubygem-nokogiri-1.5.6-3.el6cf.src.rpm SHA-256: d1bb5b053f061a5d1474c23da1bf2fe290ab4caad96c0c277eead429e552ada2
x86_64
cfme-5.2.2.3-1.el6cf.x86_64.rpm SHA-256: e30a428c6880617d7de16b93faf7f1a0e56e310618c391d24ad69c2a733372f1
cfme-appliance-5.2.2.3-1.el6cf.x86_64.rpm SHA-256: e489bffa4fc68cc7879d7b148929771d0f964ef6455a74e38c345a14f66aa468
cfme-debuginfo-5.2.2.3-1.el6cf.x86_64.rpm SHA-256: eb224bdcf54c3b5e9766c01de94931663a69dc2754df79186e43f539b06dfab9
cfme-lib-5.2.2.3-1.el6cf.x86_64.rpm SHA-256: bf478844f54b49b20c45d10e831e21f224996d634961f8ec6dfcd491226b552a
mingw32-cfme-host-5.2.2.3-1.el6cf.x86_64.rpm SHA-256: e4b973eee2d8e36df3f5dfeda480175cbb682df9caedc1c4e03dd42f3b7bca6a
ruby193-ruby-1.9.3.448-40.1.el6.x86_64.rpm SHA-256: f938ea64d932262df0d684e50aa3293fd0faef4631c8099b98e29b605d95b895
ruby193-ruby-debuginfo-1.9.3.448-40.1.el6.x86_64.rpm SHA-256: 4edf30107e5af4cc13b763e27ab21495dde793646cb8d97552d68d45d7648a73
ruby193-ruby-devel-1.9.3.448-40.1.el6.x86_64.rpm SHA-256: ca93a2ccd6a271ebb4588e6d45943f574896daaf3a5fe22dc9a6776859a5356a
ruby193-ruby-irb-1.9.3.448-40.1.el6.noarch.rpm SHA-256: 6b0c7ac9cd2fd4a18e5296f93abbe0536b77aefe715bc1ee53981fa21e0e851f
ruby193-ruby-libs-1.9.3.448-40.1.el6.x86_64.rpm SHA-256: 5e211abd18121bfd02b03822c5f4d405aeb5b3d35e8d7df1b0830043171fbc73
ruby193-ruby-tcltk-1.9.3.448-40.1.el6.x86_64.rpm SHA-256: 21af1c2ee8aa8256927eb987590b9b4d50e413d0db6b4c428e3924b389b3d464
ruby193-rubygem-actionpack-3.2.13-5.el6cf.noarch.rpm SHA-256: 7fd49bd87ea990f43f4b607fa05b862aa2b6aac895892b2b8f7f1e773a5f140a
ruby193-rubygem-amq-protocol-1.9.2-3.el6cf.noarch.rpm SHA-256: 6d282191af6dd8a77c57e4eae00d3b7d0712572b1bd549ebc0380b0e7acb0ffe
ruby193-rubygem-amq-protocol-doc-1.9.2-3.el6cf.noarch.rpm SHA-256: 15fd6f189969abed7347a179d00a34ea9ba90a6f29b21e1babc562eb87c98f85
ruby193-rubygem-bigdecimal-1.1.0-40.1.el6.x86_64.rpm SHA-256: 7790f6b672765b289c6d36bf38abf6b09b3fe00bc05b6b5d05184ca371b76c0d
ruby193-rubygem-bunny-1.0.7-1.el6cf.noarch.rpm SHA-256: 595dc2cd6721abccc88554e54b72c95fe184d48fc5b4e3e7beed2cdafdcec200
ruby193-rubygem-bunny-doc-1.0.7-1.el6cf.noarch.rpm SHA-256: 75deed2b1bbbd1f94b1166ca2e26ab11340906fe3ef724b269a4f27bfe4c9c4c
ruby193-rubygem-excon-0.31.0-1.el6cf.noarch.rpm SHA-256: 75145c91f06757619ea4d8366d56e7081b78d9a1e63717bcfa4be5f052e54b83
ruby193-rubygem-fog-1.19.0-1.el6cf.noarch.rpm SHA-256: 9eee3bf3e40697f01d4567433b4c768e25d9f1b2502dd339515e32091cde5cd6
ruby193-rubygem-io-console-0.3-40.1.el6.x86_64.rpm SHA-256: 87a0276bdd7ff1e05f3a6349369a836cb19fac67d69c4afab5fd100bc0fd7270
ruby193-rubygem-linux_admin-0.7.0-1.el6cf.noarch.rpm SHA-256: f08279a864465deb70b202163025f2468ddcbda05a110faf6ff30a460ab9560c
ruby193-rubygem-more_core_extensions-1.1.2-1.el6cf.noarch.rpm SHA-256: 045531d2a7a6289c8f66fa88e92c82169457d91c7a84ac254084818570dcedaa
ruby193-rubygem-nokogiri-1.5.6-3.el6cf.x86_64.rpm SHA-256: 913617a7c7d03b2df74695d69089a12478f4eb8409fc12b37d12a7fa35230921
ruby193-rubygem-nokogiri-debuginfo-1.5.6-3.el6cf.x86_64.rpm SHA-256: 8b9111887dcb90191d0255d7254a51223a9e67c775be2eab9b5e64f5c0b25b8e
ruby193-rubygems-1.8.23-40.1.el6.noarch.rpm SHA-256: 7b25b3af1a41d7f94ff1056e245d1c18df90323a80f7f507c9894a9bf2b5b445
ruby193-rubygems-devel-1.8.23-40.1.el6.noarch.rpm SHA-256: a0bc37555ccf72b8055b14d55e714941673fa5ac1333dd0329baffb5afcc005b

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter