Synopsis

Important: CFME 5.6.3 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Topic

An update is now available for Red Hat CloudForms 4.1.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

Security Fix(es):

• A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as. (CVE-2016-5402)
  

This issue was discovered by Simon Lukasik (Red Hat).

Additional Changes:

This update also fixes various bugs and adds several enhancements. Notable changes include:

Changes to the Automate component:

• This release of CloudForms allows provisioning of a virtual machine without specifying a host but validating a cluster. CloudForms now validates if either a host or cluster is selected when provisioning on VMware. (BZ#1378116)
  

Changes to the Providers component:

• In the previous version of CloudForms, when attempting to open a VNC console to an instance, CloudForms failed to connect because the instance did not exist for that tenant - it attempted to use the wrong tenant. This update specifies the tenant when opening a VNC console which has resolved the issue. CloudForms is now able to connect successfully without an error. (BZ#1370207)
  

Changes to the Provisioning component:

• In the previous version of CloudForms, cloning a VMware template failed when the target datacenter was nested below multiple folders. This was because if the datacenter was nested logically under various folders, users were unable to find the placement ID during an autoplacement VMware provision request. This fix always does a lookup of the folder path from the host datacenter instead of statically setting a possible wrong default value which has resolved the issue. (BZ#1361174)
  

Changes to the Replication component:

• In the previous version of CloudForms, subscription validation failed for replication subscriptions which were successfully saved. This was because the validation was done directly by the UI which did not have access to passwords of currently saved subscriptions. The validation would pass when the user enters the password when initially saving the subscription, but failed once the subscription needed to be retrieved from the database. This update has fixed the failing validation on saved replication subscriptions. (BZ#1378554)
  

Changes to the vulnerability component:

• A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as. (BZ#1357559)
  
• In the previous version of CloudForms, when trying to save filters in Subnets/Routers/Security groups/Floating IPs/Network ports exception appeared. This was caused due to missing routes for network resources. This update adds missing routes for network resources and the issue has now been resolved. (BZ#1370573)
  
• In the previous version of CloudForms, My Filters in datastore was unclickable and no filters were shown under it. This update enabled My Filters in datastore and the issue is now resolved. (BZ#1379727)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat CloudForms 4.1 x86_64

Fixes

• BZ - 1346967 - unable to bring VM out of retirement from details page
• BZ - 1346969 - when a user in a child tenant executes create_provision_request the miq_request has the wrong tenant id
• BZ - 1347002 - No flash message displayed for terminate stack instance when navigated through stack summary page
• BZ - 1349413 - The chargeback report gives wrong information
• BZ - 1357559 - CVE-2016-5402 cfme: RCE via Capacity & Utilization feature
• BZ - 1358324 - Error while configure CFME to use IPA
• BZ - 1361174 - VMware-Cloning a template fails when the target datacenter is nested below multiple folders
• BZ - 1362632 - After changing the locale to Japanese or Chinese, title is diplayed as "ManageIQ" instead of CFME
• BZ - 1368162 - [Ansible Tower] No flash message when provided bad credentials
• BZ - 1368172 - [Ansible Tower] Sorting in Configured systems table breaks "All Ansible Tower Providers"
• BZ - 1370207 - Cloudforms attempts to connect to he wrong tenant to reach an instance
• BZ - 1370570 - C&U - WEB UI crashes when moving from calendar to daily/hourly selection
• BZ - 1370573 - When trying to save filters in Subnets/Routers/Security groups/Floating IPs/Network ports exception appears
• BZ - 1370576 - Provider summary page has an additional authentication when editing Provider details.
• BZ - 1372768 - UX: Error message too vague when creating new automate domain / namespace / object
• BZ - 1375206 - VirtualDelegate: Fix foreign key for belongs_to
• BZ - 1376145 - default placement folder name in vmware varries depending on localization
• BZ - 1376514 - Advanced search tag type expression missing main object tags in drop down for newer objects
• BZ - 1376516 - EC2 instances IP Addresses are not shown in summary when instance is not in VPC
• BZ - 1376519 - Tag Control fields not working in Self-Service UI
• BZ - 1376521 - Configuration Management icons are barely visible
• BZ - 1376525 - Requested value is always shown as zero in quota exceed messages.
• BZ - 1376526 - EC2 provisioning instance in VPC with EIP error
• BZ - 1377417 - [RFE] OpenSCAP results --> Severity should be differentiated with adequate colors
• BZ - 1377418 - db:migrate failure during upgrade from 3.2 to 4.1
• BZ - 1378116 - [RFE] Cluster selection when deploying a vm on VMWare
• BZ - 1378173 - Copied user doesn't inherit password, but in UI it looks like it did
• BZ - 1378554 - Validation fails for previously saved replication subscriptions
• BZ - 1379692 - Multi-tenancy - not user friendly name of tenant in
• BZ - 1379693 - Nilclass for servicetemplateprovisionrequest_pending method
• BZ - 1379694 - C&U memory graphs are missing for Azure instances
• BZ - 1379697 - Can't retire amazon instance
• BZ - 1379727 - My Filters in datastores are not shown
• BZ - 1379728 - Upgrade to 4.1 fails to start due to widget errors
• BZ - 1380107 - provider fails to validate with IPv6 interface
• BZ - 1380170 - self-service UI allows duplicate items in cart
• BZ - 1381624 - Instance provisioning failure ''The requested availability zone is not available''
• BZ - 1382072 - .missing is missing for Azure events, causing ERROR in the logs
• BZ - 1382074 - Useless scrollbar under left submenu panel after selecting submenu
• BZ - 1382164 - Incorrect hover text for Edit tags button
• BZ - 1382406 - Cannot cancel clone via policy with cancel vcenter task
• BZ - 1382408 - Receiving Azure::Armrest::ApiException during a provider refresh after successfully adding the provider
• BZ - 1382753 - No longer select 'Discovered virtual machine' as a default folder
• BZ - 1382819 - Error When Trying to Create Service Dialog from Heat Orchestration Template
• BZ - 1382826 - Downloaded text report does not contain Instance details
• BZ - 1382834 - Global filters are sometimes saved as regular filters
• BZ - 1382835 - Azure Orchestration template no longer defaults to Default.
• BZ - 1382836 - Cloud Providers authentication not re-validated after save
• BZ - 1382837 - Reordering tenant Automate domains breaks root domain ordering
• BZ - 1382846 - Filters in My Filters set as default filter are missing label (Default)
• BZ - 1382847 - Compliance history is broken for a VM
• BZ - 1383368 - Error IPMI is not available on this Host
• BZ - 1383466 - Update download_template to use RestClient instead of open-uri for Azure
• BZ - 1383469 - Improve performance by skipping asset pipeline resolution for Service nodes
• BZ - 1383470 - Allow the root folder to be the default location for auto placement VMWare provisioning
• BZ - 1383497 - Optimize memory usage by making object in hash reference small
• BZ - 1385156 - Need to translate Compute -> Infra -> Datastores -> [A Datastore] -> Files -> [A file]
• BZ - 1385173 - Key Pairs: wrong quadicon displayed
• BZ - 1386792 - Alerts don't send SNMP traps
• BZ - 1386793 - Button edit dialog title is incorrect
• BZ - 1386794 - There is no "Trap Number" string in the alert details screen
• BZ - 1386797 - Can not generate txt/pdf drift report of SSA
• BZ - 1388984 - Inventory Refresh failing for Container Provider.
• BZ - 1389025 - Traceback during evaluation of alert when duration is not set
• BZ - 1389760 - [RFE] events are not available through the vm object
• BZ - 1389790 - Cannot add or copy alerts
• BZ - 1390697 - Auto-tagging from same label in 2 providers breaks refresh
• BZ - 1390698 - Auto-tagging from name=value and name=VALUE labels breaks refresh
• BZ - 1390724 - External Authentication configuration fails after setting hostname in appliance console
• BZ - 1391710 - Cloud instance does not have relation to service
• BZ - 1391721 - OpenStack identity.authenticate should be filtered by CloudForms
• BZ - 1391764 - ServiceTemplateProvisionTask not honoring provider zone
• BZ - 1391980 - Auto-tagging tag categories can't be used in reports
• BZ - 1392561 - 'Update External Authentication Options' option not available in cfme
• BZ - 1392964 - Some predefined alerts send emails to incorrect recipient
• BZ - 1393061 - Background & custom logo image not showing in http service after upgrading to cfme-5.6.2.1
• BZ - 1395305 - [RFE] Containers should have "My filters" and advanced search same way as other providers
• BZ - 1396665 - VM chargeback cost computed as if VM were used for 24 hours, even though it was used for < 24 hours
• BZ - 1397093 - Cannot Log in with username and "password+OTP TOKEN"
• BZ - 1397095 - ext_auth ipa user group retrieval failed with no error message, even after UI spinner takes long time.
• BZ - 1397516 - when ext_auth configured with ldaps through sssd, groups retrieved as "groupname@domain.com"
• BZ - 1399285 - Changes to class attribute default value are discarded

CVEs

• CVE-2016-5402

References

• https://access.redhat.com/security/updates/classification/#important

Red Hat CloudForms 4.1

SRPM
cfme-5.6.3.3-1.el7cf.src.rpm	SHA-256: c72278249e0930d82dc1d2dade385ae097e00d2f6642c532b9145f005da1b468
cfme-appliance-5.6.3.3-1.el7cf.src.rpm	SHA-256: b527dd663123a7b56bf2bd482dda7d64e8fe789f57492f2de51505de5157e2f6
cfme-gemset-5.6.3.3-1.el7cf.src.rpm	SHA-256: fff81562c32f42fc7ec0e2076f0e613ac57607c5387bbe50551283f9be3c0a1f
freeipmi-1.5.1-2.el7cf.src.rpm	SHA-256: e47d4bfeab9b1568f06b5c9abad3bf08ed5ddac747ed18c54b0c705f908a33c7
x86_64
cfme-5.6.3.3-1.el7cf.x86_64.rpm	SHA-256: 3164043c45f8980daad8eb032333bc29c3cf35ad50c630132f1512515d90d40a
cfme-appliance-5.6.3.3-1.el7cf.x86_64.rpm	SHA-256: e50c0cda1ef3cc9f370f7e613d48509f5b3432ae450d5618d3029f26cf7282f5
cfme-appliance-debuginfo-5.6.3.3-1.el7cf.x86_64.rpm	SHA-256: d8afe3be4156514de1230a98de464865745ae5939379a223602dc8727d7617ff
cfme-debuginfo-5.6.3.3-1.el7cf.x86_64.rpm	SHA-256: 9fe2c70b74a374b716b4df0bc214e2831a3c665d385efa7d791926c82276283e
cfme-gemset-5.6.3.3-1.el7cf.x86_64.rpm	SHA-256: a59eb2a305cae840f4c4c0b1918ded2dac0776668a87f67d2ec53e160cc7101e
freeipmi-1.5.1-2.el7cf.x86_64.rpm	SHA-256: 531782d33b585038211a8d8847ccec2f553e48db0d6ea6e54f377170c2d15ae4
freeipmi-bmc-watchdog-1.5.1-2.el7cf.x86_64.rpm	SHA-256: 17dcde4183c0fe19f8cafecba81485a6024f4ef55e51335bd59e1f697f7848d8
freeipmi-debuginfo-1.5.1-2.el7cf.x86_64.rpm	SHA-256: d83c3fa9fc1169fab96e4450055939addcebcfd3c88219bda412dfb85b7540b6
freeipmi-devel-1.5.1-2.el7cf.x86_64.rpm	SHA-256: d784c4b838b8de6b8e0aa9110bdb46d7c023693de8ad626fe355ba0dc34bcd45
freeipmi-ipmidetectd-1.5.1-2.el7cf.x86_64.rpm	SHA-256: ea711212d2eefe54a4a04ff855f8dfa51518470ca674b8de9593ceb18d33e6a2
freeipmi-ipmiseld-1.5.1-2.el7cf.x86_64.rpm	SHA-256: ca111bd8e5507bce6e672b05807f44cfe6cdd51aa27e52e930f0f54da483a7c2