RHSA-2015:0028 - Security Advisory

Topic

Updated cfme packages that fix two security issues, several bugs, and add
various enhancements are now available for Red Hat CloudForms 3.1.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

It was found that CloudForms Management Engine exposed SQL filters via the
REST API without any input escaping. An authenticated user could use this
flaw to perform SQL injection attacks against the CloudForms Management
Engine database. (CVE-2014-7814)

It was found that the CloudForms Management Engine customization template
used a default root password for newly created images if no root password
was specified. (CVE-2014-3692)

These issues were discovered by the Red Hat CloudForms Team.

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Technical Notes
document linked to in the References section.

All cfme users are advised to upgrade to these updated packages, which
contain correct these issues and add these enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

• Red Hat CloudForms 3.1 x86_64

Fixes

• BZ - 1145304 - All Passwords visible in UI when viewing page source
• BZ - 1151258 - CVE-2014-3692 CFME: default fallback password in customization_templates.yml
• BZ - 1157881 - CVE-2014-7814 CFME: REST API SQL Injection
• BZ - 1161265 - Button triggered automate actions do not work
• BZ - 1161761 - Automate Explorer: "Error during 'save': Validation failed: Datatype is not included in the list" when trying to save input parameters for a Method
• BZ - 1163384 - UI: Missing route error for forest_delete action in Configuration/Configure/Settings/Authentication
• BZ - 1163875 - RedHat domain - OSE automate model initial checkin.
• BZ - 1164034 - Performance by Asset Type report undefined method error
• BZ - 1164035 - [RFE] Need ability to properly override service request message.
• BZ - 1164036 - Excon::Errors::Conflict]: Expected([200, 202]) <=> Actual(409 Conflict) with 2 security groups of the same name in the same tenant
• BZ - 1165305 - Openstack inventory collection fails with missing instances
• BZ - 1166214 - Callback url routing issue
• BZ - 1166215 - Chargeback throws "undefined method '[]' for nil:NilClass [configuration/form_field_changed]"
• BZ - 1166286 - Setting start page as Clouds/Availability Zones shows "Page doesnt exist"
• BZ - 1166290 - Text "Custom reports" displayed twice in import/Export Custom reports
• BZ - 1168336 - UI: Missing routes error on Infra/Cloud Provider & Resource Pool list views when user has saved searches
• BZ - 1168384 - Sorting and Paging does not work in Chargeback Rates list
• BZ - 1168564 - UI: Unable to save a dashboard change after moving a widget to a different spot
• BZ - 1170320 - Ext3 directory code should account for nil entries
• BZ - 1170682 - Update miq_ae_service_snapshot.rb with new relationship of vm_or_template
• BZ - 1170794 - Unable to create dashboard widget for trending reports or filter
• BZ - 1171343 - Deleting a Cluster with many policy_events takes forever and times out.
• BZ - 1171346 - ManageIQ - Resolve file differences resulting from model import/export round trip.
• BZ - 1171821 - 5.3.2.2 doesn't start evmserverd
• BZ - 1171899 - Storage: Adding a new Storage Manager does not work. Crashes with the error - Error caught: [ArgumentError] wrong number of arguments (2 for 1)
• BZ - 1172491 - Unable to schedule backup of internal vmdb_production DB using CFME console
• BZ - 1179957 - ose_installer fails with uninitialized constant FileUtils
• BZ - 1179959 - ose_installer fails with No such file or directory - /root/.openshift/oo-install-cfg.yml

CVEs

• CVE-2014-3692
• CVE-2014-7814

References

• http://www.redhat.com/security/updates/classification/#normal