RHSA-2016:2839 - Security Advisory

Topic

An update is now available for Red Hat CloudForms 4.1.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

Security Fix(es):

• A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as. (CVE-2016-5402)

This issue was discovered by Simon Lukasik (Red Hat).

Additional Changes:

This update also fixes various bugs and adds several enhancements. Notable changes include:

Changes to the Automate component:

• This release of CloudForms allows provisioning of a virtual machine without specifying a host but validating a cluster. CloudForms now validates if either a host or cluster is selected when provisioning on VMware. (BZ#1378116)

Changes to the Providers component:

• In the previous version of CloudForms, when attempting to open a VNC console to an instance, CloudForms failed to connect because the instance did not exist for that tenant - it attempted to use the wrong tenant. This update specifies the tenant when opening a VNC console which has resolved the issue. CloudForms is now able to connect successfully without an error. (BZ#1370207)

Changes to the Provisioning component:

• In the previous version of CloudForms, cloning a VMware template failed when the target datacenter was nested below multiple folders. This was because if the datacenter was nested logically under various folders, users were unable to find the placement ID during an autoplacement VMware provision request. This fix always does a lookup of the folder path from the host datacenter instead of statically setting a possible wrong default value which has resolved the issue. (BZ#1361174)

Changes to the Replication component:

• In the previous version of CloudForms, subscription validation failed for replication subscriptions which were successfully saved. This was because the validation was done directly by the UI which did not have access to passwords of currently saved subscriptions. The validation would pass when the user enters the password when initially saving the subscription, but failed once the subscription needed to be retrieved from the database. This update has fixed the failing validation on saved replication subscriptions. (BZ#1378554)

Changes to the vulnerability component:

• A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as. (BZ#1357559)
• In the previous version of CloudForms, when trying to save filters in Subnets/Routers/Security groups/Floating IPs/Network ports exception appeared. This was caused due to missing routes for network resources. This update adds missing routes for network resources and the issue has now been resolved. (BZ#1370573)
• In the previous version of CloudForms, My Filters in datastore was unclickable and no filters were shown under it. This update enabled My Filters in datastore and the issue is now resolved. (BZ#1379727)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat CloudForms 4.1 x86_64

Fixes

• BZ - 1346967 - unable to bring VM out of retirement from details page
• BZ - 1346969 - when a user in a child tenant executes create_provision_request the miq_request has the wrong tenant id
• BZ - 1347002 - No flash message displayed for terminate stack instance when navigated through stack summary page
• BZ - 1349413 - The chargeback report gives wrong information
• BZ - 1357559 - CVE-2016-5402 cfme: RCE via Capacity & Utilization feature
• BZ - 1358324 - Error while configure CFME to use IPA
• BZ - 1361174 - VMware-Cloning a template fails when the target datacenter is nested below multiple folders
• BZ - 1362632 - After changing the locale to Japanese or Chinese, title is diplayed as "ManageIQ" instead of CFME
• BZ - 1368162 - [Ansible Tower] No flash message when provided bad credentials
• BZ - 1368172 - [Ansible Tower] Sorting in Configured systems table breaks "All Ansible Tower Providers"
• BZ - 1370207 - Cloudforms attempts to connect to he wrong tenant to reach an instance
• BZ - 1370570 - C&U - WEB UI crashes when moving from calendar to daily/hourly selection
• BZ - 1370573 - When trying to save filters in Subnets/Routers/Security groups/Floating IPs/Network ports exception appears
• BZ - 1370576 - Provider summary page has an additional authentication when editing Provider details.
• BZ - 1372768 - UX: Error message too vague when creating new automate domain / namespace / object
• BZ - 1375206 - VirtualDelegate: Fix foreign key for belongs_to
• BZ - 1376145 - default placement folder name in vmware varries depending on localization
• BZ - 1376514 - Advanced search tag type expression missing main object tags in drop down for newer objects
• BZ - 1376516 - EC2 instances IP Addresses are not shown in summary when instance is not in VPC
• BZ - 1376519 - Tag Control fields not working in Self-Service UI
• BZ - 1376521 - Configuration Management icons are barely visible
• BZ - 1376525 - Requested value is always shown as zero in quota exceed messages.
• BZ - 1376526 - EC2 provisioning instance in VPC with EIP error
• BZ - 1377417 - [RFE] OpenSCAP results --> Severity should be differentiated with adequate colors
• BZ - 1377418 - db:migrate failure during upgrade from 3.2 to 4.1
• BZ - 1378116 - [RFE] Cluster selection when deploying a vm on VMWare
• BZ - 1378173 - Copied user doesn't inherit password, but in UI it looks like it did
• BZ - 1378554 - Validation fails for previously saved replication subscriptions
• BZ - 1379692 - Multi-tenancy - not user friendly name of tenant in
• BZ - 1379693 - Nilclass for servicetemplateprovisionrequest_pending method
• BZ - 1379694 - C&U memory graphs are missing for Azure instances
• BZ - 1379697 - Can't retire amazon instance
• BZ - 1379727 - My Filters in datastores are not shown
• BZ - 1379728 - Upgrade to 4.1 fails to start due to widget errors
• BZ - 1380107 - provider fails to validate with IPv6 interface
• BZ - 1380170 - self-service UI allows duplicate items in cart
• BZ - 1381624 - Instance provisioning failure ''The requested availability zone is not available''
• BZ - 1382072 - .missing is missing for Azure events, causing ERROR in the logs
• BZ - 1382074 - Useless scrollbar under left submenu panel after selecting submenu
• BZ - 1382164 - Incorrect hover text for Edit tags button
• BZ - 1382406 - Cannot cancel clone via policy with cancel vcenter task
• BZ - 1382408 - Receiving Azure::Armrest::ApiException during a provider refresh after successfully adding the provider
• BZ - 1382753 - No longer select 'Discovered virtual machine' as a default folder
• BZ - 1382819 - Error When Trying to Create Service Dialog from Heat Orchestration Template
• BZ - 1382826 - Downloaded text report does not contain Instance details
• BZ - 1382834 - Global filters are sometimes saved as regular filters
• BZ - 1382835 - Azure Orchestration template no longer defaults to Default.
• BZ - 1382836 - Cloud Providers authentication not re-validated after save
• BZ - 1382837 - Reordering tenant Automate domains breaks root domain ordering
• BZ - 1382846 - Filters in My Filters set as default filter are missing label (Default)
• BZ - 1382847 - Compliance history is broken for a VM
• BZ - 1383368 - Error IPMI is not available on this Host
• BZ - 1383466 - Update download_template to use RestClient instead of open-uri for Azure
• BZ - 1383469 - Improve performance by skipping asset pipeline resolution for Service nodes
• BZ - 1383470 - Allow the root folder to be the default location for auto placement VMWare provisioning
• BZ - 1383497 - Optimize memory usage by making object in hash reference small
• BZ - 1385156 - Need to translate Compute -> Infra -> Datastores -> [A Datastore] -> Files -> [A file]
• BZ - 1385173 - Key Pairs: wrong quadicon displayed
• BZ - 1386792 - Alerts don't send SNMP traps
• BZ - 1386793 - Button edit dialog title is incorrect
• BZ - 1386794 - There is no "Trap Number" string in the alert details screen
• BZ - 1386797 - Can not generate txt/pdf drift report of SSA
• BZ - 1388984 - Inventory Refresh failing for Container Provider.
• BZ - 1389025 - Traceback during evaluation of alert when duration is not set
• BZ - 1389760 - [RFE] events are not available through the vm object
• BZ - 1389790 - Cannot add or copy alerts
• BZ - 1390697 - Auto-tagging from same label in 2 providers breaks refresh
• BZ - 1390698 - Auto-tagging from name=value and name=VALUE labels breaks refresh
• BZ - 1390724 - External Authentication configuration fails after setting hostname in appliance console
• BZ - 1391710 - Cloud instance does not have relation to service
• BZ - 1391721 - OpenStack identity.authenticate should be filtered by CloudForms
• BZ - 1391764 - ServiceTemplateProvisionTask not honoring provider zone
• BZ - 1391980 - Auto-tagging tag categories can't be used in reports
• BZ - 1392561 - 'Update External Authentication Options' option not available in cfme
• BZ - 1392964 - Some predefined alerts send emails to incorrect recipient
• BZ - 1393061 - Background & custom logo image not showing in http service after upgrading to cfme-5.6.2.1
• BZ - 1395305 - [RFE] Containers should have "My filters" and advanced search same way as other providers
• BZ - 1396665 - VM chargeback cost computed as if VM were used for 24 hours, even though it was used for < 24 hours
• BZ - 1397093 - Cannot Log in with username and "password+OTP TOKEN"
• BZ - 1397095 - ext_auth ipa user group retrieval failed with no error message, even after UI spinner takes long time.
• BZ - 1397516 - when ext_auth configured with ldaps through sssd, groups retrieved as "groupname@domain.com"
• BZ - 1399285 - Changes to class attribute default value are discarded

CVEs

• CVE-2016-5402

References

• https://access.redhat.com/security/updates/classification/#important