Synopsis

Important: cfme security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Topic

Updated cfme packages that fix two security issues, several bugs, and add
various enhancements are now available for Red Hat CloudForms 3.1.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

It was found that CloudForms Management Engine exposed SQL filters via the
REST API without any input escaping. An authenticated user could use this
flaw to perform SQL injection attacks against the CloudForms Management
Engine database. (CVE-2014-7814)

It was found that the CloudForms Management Engine customization template
used a default root password for newly created images if no root password
was specified. (CVE-2014-3692)

These issues were discovered by the Red Hat CloudForms Team.

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Technical Notes
document linked to in the References section.

All cfme users are advised to upgrade to these updated packages, which
contain correct these issues and add these enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

• Red Hat CloudForms 3.1 x86_64

Fixes

• BZ - 1145304 - All Passwords visible in UI when viewing page source
• BZ - 1151258 - CVE-2014-3692 CFME: default fallback password in customization_templates.yml
• BZ - 1157881 - CVE-2014-7814 CFME: REST API SQL Injection
• BZ - 1161265 - Button triggered automate actions do not work
• BZ - 1161761 - Automate Explorer: "Error during 'save': Validation failed: Datatype is not included in the list" when trying to save input parameters for a Method
• BZ - 1163384 - UI: Missing route error for forest_delete action in Configuration/Configure/Settings/Authentication
• BZ - 1163875 - RedHat domain - OSE automate model initial checkin.
• BZ - 1164034 - Performance by Asset Type report undefined method error
• BZ - 1164035 - [RFE] Need ability to properly override service request message.
• BZ - 1164036 - Excon::Errors::Conflict]: Expected([200, 202]) <=> Actual(409 Conflict) with 2 security groups of the same name in the same tenant
• BZ - 1165305 - Openstack inventory collection fails with missing instances
• BZ - 1166214 - Callback url routing issue
• BZ - 1166215 - Chargeback throws "undefined method '[]' for nil:NilClass [configuration/form_field_changed]"
• BZ - 1166286 - Setting start page as Clouds/Availability Zones shows "Page doesnt exist"
• BZ - 1166290 - Text "Custom reports" displayed twice in import/Export Custom reports
• BZ - 1168336 - UI: Missing routes error on Infra/Cloud Provider & Resource Pool list views when user has saved searches
• BZ - 1168384 - Sorting and Paging does not work in Chargeback Rates list
• BZ - 1168564 - UI: Unable to save a dashboard change after moving a widget to a different spot
• BZ - 1170320 - Ext3 directory code should account for nil entries
• BZ - 1170682 - Update miq_ae_service_snapshot.rb with new relationship of vm_or_template
• BZ - 1170794 - Unable to create dashboard widget for trending reports or filter
• BZ - 1171343 - Deleting a Cluster with many policy_events takes forever and times out.
• BZ - 1171346 - ManageIQ - Resolve file differences resulting from model import/export round trip.
• BZ - 1171821 - 5.3.2.2 doesn't start evmserverd
• BZ - 1171899 - Storage: Adding a new Storage Manager does not work. Crashes with the error - Error caught: [ArgumentError] wrong number of arguments (2 for 1)
• BZ - 1172491 - Unable to schedule backup of internal vmdb_production DB using CFME console
• BZ - 1179957 - ose_installer fails with uninitialized constant FileUtils
• BZ - 1179959 - ose_installer fails with No such file or directory - /root/.openshift/oo-install-cfg.yml

CVEs

• CVE-2014-3692
• CVE-2014-7814

References

• http://www.redhat.com/security/updates/classification/#normal

Red Hat CloudForms 3.1

SRPM
cfme-5.3.2.6-1.el6cf.src.rpm	SHA-256: 706a11d774d4508840644699141f6352520761a80f3bbd2f4e0f277cbeb8b3ab
ruby193-rubygem-fog-1.19.0-2.el6cf.src.rpm	SHA-256: 3558c6a975e9d61dff1621b7e5146dc8d32b0ae4b3ec1a48db3b946b40cf4749
ruby193-rubygem-linux_admin-0.9.4-1.el6cf.src.rpm	SHA-256: 155c84d8289328df89ab7dacd65cbff809718dcc35776d35b118ee949d1ad126
x86_64
cfme-5.3.2.6-1.el6cf.x86_64.rpm	SHA-256: c339fc3d3c47383c449450dbe7e36d6a60bb7d70f4cc15139dbaca4786c52ee5
cfme-appliance-5.3.2.6-1.el6cf.x86_64.rpm	SHA-256: 69e83f42ca8b22e7a5941451318b3492141a1735b049da9661894288350d1bab
cfme-debuginfo-5.3.2.6-1.el6cf.x86_64.rpm	SHA-256: 8cfc425b4486b679466b473f80a952ff454d5957d7878e09ed325ba047d0fc84
cfme-lib-5.3.2.6-1.el6cf.x86_64.rpm	SHA-256: 206ab5b84cc99d81e97cb5609930e978baddccb053156f851653a7c7bf1789e4
mingw32-cfme-host-5.3.2.6-1.el6cf.x86_64.rpm	SHA-256: b4a4ea833d5b5008417925a82951c23e82555291ae03d6f12ac1e37f78c37ec4
ruby193-rubygem-fog-1.19.0-2.el6cf.noarch.rpm	SHA-256: 21154eaf14f8d85f1c65c9f2d5825527ac3719ba0d017456ddbef05e2037ac97
ruby193-rubygem-linux_admin-0.9.4-1.el6cf.noarch.rpm	SHA-256: 2292f15c872527700a58719dcf09a5d9e952cda7e61c05103c8104437fadb3b8