RHSA-2016:1634 - Security Advisory

Topic

An update for cfme is now available for Red Hat CloudForms 4.1.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

Security Fix(es):

• It was found that the CloudForms web UI did not properly filter input in certain fields. A remote, authenticated attacker could use this flaw to execute arbitrary code on the system running CloudForms. (CVE-2016-5383)

This issue was discovered by Eric Hayes (Red Hat).

Additional Changes:

This update also fixes several bugs and adds various enhancements.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat CloudForms 4.1 x86_64

Fixes

• BZ - 1240443 - Catalog Item : Changing the provider template after filling all tabs shows error
• BZ - 1255389 - [Scale] - Large render time on Configure -> Configuration -> Access Control administration page with large scale environment
• BZ - 1273404 - Optimize Planning does not show duplicate VMs
• BZ - 1278003 - SmartState analysis fails for users Last Logon on RHEL7 hosts
• BZ - 1284084 - Refresh Relationships on SCVMM Provider throws ERROR if any VM contains 2 DVD drives.
• BZ - 1295523 - Editing catalog item when the template used is removed form provider : undefined method `fulltree_arranged' for nil:NilClass [catalog/tree_select]
• BZ - 1316842 - /System/Process/Event should not be displayed as a valid entry point for Automate Simulation
• BZ - 1335669 - Automate | Assertion with failed substitution should raise error
• BZ - 1337676 - Ceilometer events does not work with openstack mitaka
• BZ - 1338754 - Containers -- Providers -- Tile View - Port number is shown incorrectly
• BZ - 1338957 - [RFE] - Changes to the existing Utilisation Reporting for Red Hat products
• BZ - 1340072 - parent tenant name changes are not reflected via the api
• BZ - 1341665 - Error "Invalid input [cloud_volume/create]" on add new cloud volume
• BZ - 1341666 - UI: 'Perform SmartState Analysis' for Datastore shows wrong flash message(No Datastores were selected for Analysis)
• BZ - 1341667 - Smart State Analysis timed out scans are not displayed as "timed out" in CFME
• BZ - 1341668 - After selecting any container's Relationship from Containers List, the path label will show incorrect path
• BZ - 1341669 - remove delete cloud volume if its not supported
• BZ - 1341670 - Dialog content not fully displayed
• BZ - 1341671 - False flash message displayed when clicked on commit while importing service dialog
• BZ - 1342122 - monitoring button appears after policy button in the containers tab while appears before on all other pages
• BZ - 1342220 - Scale down compute node does not remove nova service from the removed compute node
• BZ - 1342221 - timeline page should not have dashboard and summary view
• BZ - 1342222 - inconsistency on the monitoring button between pages
• BZ - 1343515 - 5.6.0.8 memory usage is ~370MiB higher than 5.5.4.2 when idle
• BZ - 1343720 - Azure Smart State not capturing expected details for Ubuntu VM.
• BZ - 1343721 - missing scroll bar on capacity planning " Reference VM Selection "
• BZ - 1343723 - Remove "Middleware" from the Product features tree in Access control
• BZ - 1344050 - Replication stops if network connection is lost for over 60s
• BZ - 1344327 - Terminate instance term is confusing
• BZ - 1344328 - SSUI - Filters are not working correctly for "Pending" requests
• BZ - 1344329 - Flash message not displayed long enough on widget import/export page
• BZ - 1344330 - [ja_JP] Translation issues on cloud intelligence->reports->edit report menus page
• BZ - 1344331 - [ALL LANG] No fully localized on Clouds -> Providers page.
• BZ - 1346036 - [Bug] Optimize: Utilization by Classification Throws Exception
• BZ - 1346037 - VMware VM Reconfigure Add Disk fails when a new SCSI controller is needed
• BZ - 1346057 - Add container nodes, pods and replicators to Control
• BZ - 1346312 - [RFE] sort flavors by their size
• BZ - 1346443 - [RFE] GCE image not prepared for use on Google Compute Platform
• BZ - 1346909 - Retired instance can be resumed from provider side and it is not powered off.
• BZ - 1346951 - [RFE] "NoMethodError: undefined method `where' for MiqAeMethodService::MiqAeServiceClassification:Class"
• BZ - 1346956 - Tag Control issues on service dialogue imports between appliances
• BZ - 1346968 - Catalog Item : Editing a catalog item after deleting provider shows error
• BZ - 1346991 - [RFE] The OpenShift provider should use the proxy configured in CloudForms
• BZ - 1347018 - When quota source is group display quota exceed message for which the quota is validated for
• BZ - 1347695 - Unexpected error when sorting "instances" column in network manager security groups
• BZ - 1348221 - Apply button enabled after a failed attempt to upload invalid file for importing tags
• BZ - 1348630 - Show cloud Tenant field in cloud image summary page.
• BZ - 1348632 - CFME 4.0 session setting necessary for proper CFME operation in Load Balancer environment is no longer acceptable and causes worker failures
• BZ - 1348636 - [ALL LANG] Unlocalized strings on cloud intelligence->reports->dashboard widgets page.
• BZ - 1348638 - [RFE] - Need default validation for data type on TextBox fields when submitting Dialog (Web UI)
• BZ - 1348645 - [ja_JP] Translation issues on cloud intelligence->reports->import/export page
• BZ - 1348650 - Policy Simulation detail page blank for VM sub lists (i.e. on Provider or Host)
• BZ - 1348651 - Add new Cloud volume fails
• BZ - 1348989 - Start rhevm vm with use_cloud_init flag on first boot
• BZ - 1349060 - [ja_JP] Translation issues on Services -> Workloads -> Templates & Images page
• BZ - 1349061 - [ja_JP] Translation issues on cloud intelligence->chargeback->rates page
• BZ - 1349062 - [Scale] perf_capture_timer message timeout, cycles Generic/Priority Workers
• BZ - 1349063 - [RFE] Set API port to 13000 for SSL enabled Openstack providers
• BZ - 1349410 - Provider name should be included for Chargeback reports for infra and cloud VMs
• BZ - 1349414 - Unexpected error when clicked on upload button in import custom reports
• BZ - 1349417 - Reconfigure instance fails in html error
• BZ - 1349418 - Control/Simulation expand all icon is missing
• BZ - 1349419 - "Expand All" button is broken in container image compliance history
• BZ - 1349421 - memory metric not being rolled up to OSP Availability zones
• BZ - 1349426 - [Ansible Tower] Tower stack cannot be retired
• BZ - 1349427 - Policy profiles actions unclickable
• BZ - 1349482 - Since update cannot obtain tenant inventory data from OpenStack ( NON RH OPENSTACK VERSION! )
• BZ - 1349624 - Error:"no implicit conversion of Symbol into Integer" when clicked on download in VM comparison page
• BZ - 1349625 - Creating provisioning dialog with no type chosen(default used named Choose)
• BZ - 1349626 - Floating IPs have no displayed names in Grid View
• BZ - 1349627 - Hovering on 'Select host to validate against' drop down on Host credential page displays "<Choose&gt"
• BZ - 1349628 - Sorting select form is turn rounded in Virtual Machines
• BZ - 1349630 - "Adress" typo in sorting options
• BZ - 1349631 - Websockets icon missing in diagnostics
• BZ - 1349636 - Default view settings fails for some pages
• BZ - 1349637 - Remove Hand pointer from edit timeprofile page
• BZ - 1349869 - CFME provisioning on RHEV limited to max 4096GB of memory
• BZ - 1349876 - SSUI : Blank virtual machine row is displayed for service with no VM
• BZ - 1349988 - RBAC:Unexpected error when clicked on VM in "EVM: Recently Discovered VMs" widget of tenant user
• BZ - 1349989 - Services: Setting a Retirement Dates/ Retiring for a service shows error in log
• BZ - 1350448 - Azure request remains Active even after instance is fully provisioned
• BZ - 1350449 - CF does not notice RHEV VMs being suspended
• BZ - 1350592 - Error:Uninitialized constant ApplicationHelper in production.log when clicked on configured system in Red Hat Satellite Provider
• BZ - 1350593 - All Ansible tower provider configured systems are getting listed under satellite provider in accordion
• BZ - 1350594 - Error "uninitialized constant ProviderForemanController.." when downloading summary of inventory group in Ansible tower
• BZ - 1350842 - Warnings about session threshold
• BZ - 1350903 - Service order through API does not auto approve
• BZ - 1350904 - Widget import 'select all' button doesn't work
• BZ - 1350905 - 'Show host events' check box not needed on datastore bottleneck page
• BZ - 1350906 - Suspicious values in Chargeback for Containers
• BZ - 1351176 - Provisioning requests are not been transmitted successfully from the global region to the local region - getting "500 Internal Server Error" message
• BZ - 1351177 - Appliance_console crash
• BZ - 1351178 - RedHat Domain - Change placement methods to avoid read-only datastores
• BZ - 1351669 - default repo's stored in the appliance are incorrect
• BZ - 1351674 - C&U : Performance metrics collection fails for Azure
• BZ - 1351678 - [Release Candidate] validation skipped on azure when subscription id is populated
• BZ - 1351696 - Unexpected error when clicked on download button in Timelines
• BZ - 1352011 - Cannot specify security_protocol when creating a cloud provider via the API
• BZ - 1352012 - Extra Vars not passed to Ansible Tower when using custom state machines in service catalog
• BZ - 1352014 - [Ansible Tower 3.0] Unsupported media type "application/x-www-form-urlencoded" in request
• BZ - 1352027 - Filters are missing in both cloud and infrastructure providers
• BZ - 1352134 - log: first installation shows git error in evm.log
• BZ - 1353201 - [RFE] Tagging on Ansible Template Jobs
• BZ - 1353228 - Key Pairs: wrong quadicon displayed
• BZ - 1353231 - Automate | Services | Remove ConfigureChildDialog method and state value.
• BZ - 1353233 - ManageIQ Automate domain cleanup
• BZ - 1353234 - Openstack cloud provider not disabled Timelines subbutton when no events available
• BZ - 1353235 - Monitoring button in EC2 cloud provider summary should be disabled
• BZ - 1353237 - Add India, Australia and US Gov regions for Azure
• BZ - 1353239 - Database garbage collection errs with undefined local variable or method `current_db_opts' for #<Class:0x00000003615bb8>
• BZ - 1353240 - Quota enforcement for user as quota source does not work
• BZ - 1353243 - Service : Azure service catalog request fails with error
• BZ - 1353253 - Configuration database pagination is broken for tables and indexes
• BZ - 1353255 - add instance to trigger miqevents from a button
• BZ - 1353258 - When clicked on reload button it throws an error in log:RoutingError (No route matches [POST] "/miq_capacity/reload")
• BZ - 1353260 - Error"undefined method `length' for nil:NilClass" in download link of template summary page
• BZ - 1353277 - Wrong html markup in SNMP section of an Alert
• BZ - 1353279 - Dashboard widgets menu Minimize/Maximize improper mouseover
• BZ - 1353285 - SCVMM Refresh fails if there is a Recovery Partition or a partition with no drive letter.
• BZ - 1353287 - RubyRep replication in CFME 5.5.3.4 failing in large multi region environment
• BZ - 1353288 - provision_requests call with a request_type "clone_to_vm" fails with undefined method datacenter_name
• BZ - 1353290 - UI Constants need to use delayed translations
• BZ - 1353292 - Tenant Quota widget needs formatting
• BZ - 1353294 - UX: Automate - Configuration button is not present in read-only domains until there is a writeable domain available
• BZ - 1353299 - Clear filter in datastores should lead to All Datastores
• BZ - 1353300 - All datastores add clear link after advanced search open and close
• BZ - 1353302 - Unexpected error encountered during reconfiguration
• BZ - 1353308 - hosts fail to archive upon provider deletion
• BZ - 1353310 - Importing a service dialog should invalidate Service Dialogs tree cache to rebuild it with current dialogs
• BZ - 1353323 - Inventory refresh doesn't work with version 4 of oVirt
• BZ - 1353324 - [ja_JP] Translations are missing in 'Cloud Intel' menu and its sub menu's pages
• BZ - 1353326 - [ja_JP, zh_CN] Many strings on Compute ->Containers -> Overview page are untranslated.
• BZ - 1353587 - New company tags not listed alphabetically
• BZ - 1353646 - In Network Providers are My Filters unclickable
• BZ - 1353647 - Sorting "Total Configured Systems" in Inventory Groups under Ansible Tower Provider fails.
• BZ - 1353651 - Unable to change zone setting of a configuration management provider
• BZ - 1353657 - Inconsistency in NOR values on VM summary page and Right size recommendation page
• BZ - 1353717 - Report listing empty after canceling "Add a new schedule"
• BZ - 1353719 - Azure Hard/Soft Reboot not working.
• BZ - 1353722 - CVE-2016-5383 CloudForms: Lack of field filters on user input
• BZ - 1353974 - Truncate miq_request user_message length.
• BZ - 1354562 - vms deployed in a multi-cluster rhevm environment are tied to the cluster of the template
• BZ - 1355785 - It should be possible to define/modify the relevant hawkular endpoint
• BZ - 1355786 - Incorrect options listed for host related actions while adding a schedule
• BZ - 1355787 - Cloud providers security groups back button redirects me to network manager
• BZ - 1355788 - Unexpected error when Navigating Configuration and clicked on simulate in custom button.
• BZ - 1355789 - Add OpenSCAP failed rules summary
• BZ - 1356133 - Advanced Setting screen only shows the first 24 lines until browser resize
• BZ - 1356251 - User_data is being base64 encoded twice causing init script to fail for Openstack provisioning
• BZ - 1356256 - [RFE] SSUI should be able to set locales separately from Operations UI
• BZ - 1356624 - Relationship links do not work within an OSE project
• BZ - 1356647 - Control Explorer: Error when clicking on Edit assignments for this Alert Profile button
• BZ - 1356659 - Edit report menus list is hiding items, which are not in square
• BZ - 1356703 - CF4.0 to CF4.1 upgrade breaks Networks/Networks UI
• BZ - 1356704 - Errno::ECONNREFUSED: Connection refused when dynamic dialog menus are set to refresh
• BZ - 1356705 - CFME 4.1 appliance fail to perform logrotate for /vmdb/log and postgresql pg_log directory log files
• BZ - 1356973 - Dialogue Input are truncated when submitted
• BZ - 1357519 - Empty Overview Menu
• BZ - 1357520 - Unable to create a new v2_key when the old one is removed
• BZ - 1358037 - Fix gulp ECMDERR on older node, by forcing plato to 1.4
• BZ - 1358303 - Container auto-tagging from labels breaks refresh on labels with empty value
• BZ - 1359075 - Error when clicking on custom buttons item under Automate -> Customization -> Buttons
• BZ - 1359150 - Error when retiring an orchestration stack from list view
• BZ - 1359155 - Summary Screens: Download Summary to PDF toolbar button is missing
• BZ - 1359295 - immediately after upgrade from CFME 4.0 TO cfme 4.1 UI requests to separate VMDB appliance are timing out-
• BZ - 1359785 - Service : Not able to provision more than certain number of VM's for Google Compute Engine
• BZ - 1359937 - Fields observed with interval send changes multiple times if focused multiple times
• BZ - 1359966 - In Control - Policy & PolicyProfile don't automatically expand *all* the nodes
• BZ - 1360330 - Scheduled reports are emailing ever few seconds rather then just 1
• BZ - 1360364 - Worker nice_delta is not set in 5.6.0.13
• BZ - 1360384 - No cross-linking of OpenShift node to OpenStack instance
• BZ - 1360772 - pods are named 'container groups' in the policy explorer right cell
• BZ - 1360901 - "Load error! (parseerror)" in Policy Profiles and Policies explorers
• BZ - 1361189 - UI: Group editor/summary screen throwing an error when user has more than 5000 tags
• BZ - 1361237 - Watermark VMs per Provider header mismatch
• BZ - 1361308 - [Ansible Tower] Unable to add provider - Add button not clickable
• BZ - 1361610 - RubyRep fails to start after 5.5 -> 5.6 migration
• BZ - 1361844 - Relationship links lead to wrong menu in OSE project
• BZ - 1362181 - Policies explorer is recursive, doesn't show policies
• BZ - 1362228 - Broken image for inactive Control Policy
• BZ - 1362271 - Constant lookup wasn't working properly
• BZ - 1362654 - Azure - Discover Azure provider throws errors.
• BZ - 1363808 - UI: When recovering from timeout parameter page is set to zero, and causes an error in rendering the show_list page.
• BZ - 1364061 - Container dashboard does not show 'Aggregated Node Utilization' unless appliance timezone is UTC
• BZ - 1364063 - Container Image SmartState Analysis duplicate tasks and errors
• BZ - 1365907 - Connection to Ceilometer fails in fog/openstack
• BZ - 1366359 - Missing option to configure smartstate temp space
• BZ - 1366360 - CFME appliance console showing ManageIQ branding

CVEs

• CVE-2016-5383

References

• http://www.redhat.com/security/updates/classification/#normal