- Issued:
- 2017-02-27
- Updated:
- 2017-02-27
RHSA-2017:0320 - Security Advisory
Synopsis
Moderate: CFME 5.7.1 bug fixes and enhancement update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated cfme packages that fix bugs and add various enhancements
are now available for Red Hat CloudForms 4.2.
Description
Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
This update fixes various bugs and adds several enhancements. Documentation for these changes is available in the Release Notes linked to in the References section.
Security Fix(es):
- A logic error in valid_role() in CloudForms role validation could allow a
tenant administrator to create groups with a higher privilege level than
the tenant administrator should have. This would allow an attacker with
tenant administration access to elevate privileges. (CVE-2017-2632)
This issue was discovered by Matouš Mojžíš (Red Hat).
All CFME users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
Affected Products
- Red Hat CloudForms 4.2 x86_64
Fixes
- BZ - 1382768 - My Filters in datastores are not shown
- BZ - 1390729 - [Azure] - No LB icon/button in Network topology
- BZ - 1390731 - clicking on Unassigned Profiles Group from satellite provider
- BZ - 1391748 - [ja_JP] Translations are missing in 'Compute'-'Infrastructure' menu and its sub menu pages
- BZ - 1391750 - [ja_JP] Translation issues observed on cloud intelligence->Reports->reports page.
- BZ - 1391757 - [ALL LANG] Not fully localized on Clouds -> Providers page.
- BZ - 1394331 - Compare,Drift views missing in VM and drift comparison pages
- BZ - 1394339 - Missing "Items per Page" in Paginator with 5:4 or 4:3 screen ratio resolution
- BZ - 1394341 - Updating the default GTL view settings does not work for cloud key pair page
- BZ - 1394844 - Unexpected error when clicked on edit cloud provider after deleting cloud provider
- BZ - 1395304 - [RFE] Containers should have "My filters" and advanced search same way as other providers
- BZ - 1395839 - UX: Hovered redhat insights menu item text interferes to its arrow
- BZ - 1395840 - Service dialog editor drop down list Refresh problem
- BZ - 1395857 - OCP nodes showing as "not ready" in topology view but as "Ready" in Container Node view
- BZ - 1395898 - UI: 'Lifecycle' button is still alive, when no providers
- BZ - 1396222 - Middleware - Missing Alt on Add Datasource form buttons
- BZ - 1396238 - Middleware Provider - Timelines: JS Error and endless load
- BZ - 1396239 - Middleware - Support of MariaDB Datasource type
- BZ - 1396240 - Orchestration template : Unable to add Vapp Template
- BZ - 1396241 - [beta1] vm console icon not rendering correctly
- BZ - 1396243 - Spinning UI activity overlay stuck/infinite when using advanced search
- BZ - 1396575 - [ALL LANG] Middleware - Servers - Datasource - C&U screen has untranslated entries
- BZ - 1396576 - Some of the Power Operation strings are not getting extracted in the i18n gettext catalog for SUI
- BZ - 1396577 - when I scroll tables in provisioning dialog, table header is scrolled along with table contents
- BZ - 1396580 - Vmware Storage Profile is not shown in Provisioning Request
- BZ - 1397151 - [RFE] Unknown operating system for AWS instances
- BZ - 1397154 - tooltips for group of events in timelines don't look good
- BZ - 1397157 - date picker control appears under navigation bar in timelines view
- BZ - 1397158 - sometimes event text appears partially beyond the tooltip's bounds
- BZ - 1397159 - timelines control displaying current cursor position on timescale is annoying and unusable
- BZ - 1397248 - pods are named 'container groups' in the policy explorer right cell
- BZ - 1397416 - UI: Hover text is required for Help "(?)"
- BZ - 1397509 - many vm create/remove/stop/start Azure events are absent in timelines though present in DB
- BZ - 1397532 - [ja_JP] Need to change the strings on storage manager ->Monitoring -> Timelines -> Options for "Management Events" and "Policy Events"
- BZ - 1397874 - [ALL LANG] Compute-Container-Container nodes has untranslated entries
- BZ - 1399207 - vm.create_snapshot fails for rhev vm with undefined method `create_snapshot'
- BZ - 1399208 - [Multi-tenancy] - RFE - Disable renaming of Tenants created by tenant mapping
- BZ - 1399209 - Text does not appear when hovering over VMs & instances
- BZ - 1399211 - Infrastructure Topology legend buttons inaccuracy
- BZ - 1399214 - Cloud provider list view has bad region value
- BZ - 1399216 - giving access to view the quota of a tenant but not listing still allows a user to list all tenants
- BZ - 1399221 - [RFE] NFS41 storage type not supported for SmartState Analysis
- BZ - 1399669 - "Starting Date" in scheduled report is always next day; cannot be set to another day
- BZ - 1399677 - [RFE] Add settings key to disable console proxy
- BZ - 1399679 - [RFE] Launch an URL returned by an automate button
- BZ - 1400202 - [ALL LANG] Compute - Clouds - Instances - Instances by Provider has missing translations
- BZ - 1400204 - Filter out events from Azure Classic providers
- BZ - 1400212 - [Beta 1] lack of consistency in Custom Logo UI.. Check box and Yes/No Slide
- BZ - 1400303 - SSUI: My Request submenu needs translation when language is selected
- BZ - 1400616 - Power ops showing as available for an Archived vm.
- BZ - 1400704 - Documentation via SSUI opens up in the same SSUI window instead of a new tab/window
- BZ - 1401017 - Cloud Intel->Timelines->Events->Policy timelines(reports) have a really inobvious names
- BZ - 1401018 - VM reconfigure: submit is disabled, when memory new value is set after add disk
- BZ - 1401030 - [Amazon EC2][SDN] - Network provider not refreshed weirdness with tenancy
- BZ - 1401044 - Back, reload and configuration toolbar buttons are misplaced on Pxe page
- BZ - 1401103 - Unable to set retirement date for Stacks
- BZ - 1401935 - Heartbeat failure for workers is not reported as ERROR log line but INFO log line
- BZ - 1401956 - Sort providers table crash
- BZ - 1401957 - Unable to perform any actions on cloud objects from list view when navigated to cloud tenants
- BZ - 1402118 - appliance_console is unable to set time-zone for america/argentina "Failed to apply timezone configuration"
- BZ - 1402138 - [RFE] Default database name when setting up global replication subscriptions
- BZ - 1402139 - Automate Customization: When editing automate button, it doesn't remember previously saved button image and display field values.
- BZ - 1402162 - Subnet form needs to allow ipv4/ipv6 selection during create, and lock ipv4/ipv6 and CIRD during edit
- BZ - 1402524 - UI: Configuration -> Access Control - On User/Group/Role summary screens text is no longer a link
- BZ - 1402526 - Alert profiles assignments have container providers under cloud/infrastructure providers
- BZ - 1402527 - [Networks Topology] - LB Tags not shown in Topology
- BZ - 1402528 - Azure : Instance name restriction should be shown in UI when creating a catalog item for Azure
- BZ - 1402529 - No option to see next page in "services-->requests"
- BZ - 1403011 - C&U Configuration Screen does not display anything
- BZ - 1403019 - Azure instance disks not deleted
- BZ - 1403981 - Create snapshot has memory checkbox, even though VM is Down.
- BZ - 1403983 - After performing an upgrade, no role workers start on new appliances
- BZ - 1404316 - RHEV VM Reconfigure: Hot plug CPU & memory together, pass on CFME, though memory hot plug fail on 256 multiply
- BZ - 1404365 - Order Service drop-down for "App Name" no longer allows for search filter
- BZ - 1404427 - "audit log" is logged with "new_value" instead of actual data when new user is created.
- BZ - 1404431 - provisioning instance fail: FATAL -- : Error caught: [NoMethodError] undefined method `[]' for nil:NilClass
- BZ - 1404447 - Empty lists in Chrome
- BZ - 1404454 - VMware Auto Placement issue with insufficient space on Datastore
- BZ - 1404526 - Folder relationship change causing a re-classify of all children VMs
- BZ - 1404669 - Tenant cannot import datastore without datastore being locked
- BZ - 1404746 - Retirement state machine does not handle Ansible Tower services when part of a bundle
- BZ - 1404825 - Unable to trigger a smartstate scan from the clouds Instances view unlike infra vm view
- BZ - 1404827 - [RFE] CloudForms 4.1 unable to add Azure Gov Cloud Provider
- BZ - 1405193 - Unable to specify disk size in IE11 when adding additional disk
- BZ - 1405197 - When exporting reports into PDF only half of the data is displayed
- BZ - 1405200 - Can't create an alert
- BZ - 1405201 - VMs & Templates links point to Host & Clusters in the relationship accordion
- BZ - 1405640 - Subnet CRUD actions do not use task queue
- BZ - 1405641 - Network CRUD actions do not use task queue
- BZ - 1406160 - Floating IP/Security Group actions missing corresponding events
- BZ - 1406161 - Floating IP/Security Group Create Task Queues have reversed method names
- BZ - 1406163 - Unable to delete the subnets for azure,ec2 and gce providers
- BZ - 1406167 - Timelines not displayed on the Configuration->Diagnostics page
- BZ - 1406434 - Default validation for data type is not properly set when adding a new TextBox field
- BZ - 1406798 - event info tooltip appears only for first clicked event in timelines
- BZ - 1408278 - Add Access button group to Cloud Instance and move the HTML5 icon to it
- BZ - 1410516 - Impossible to login in SSUI due to ERROR on SSUI Dashboard
- BZ - 1410535 - Chargeback per time is limited to hourly
- BZ - 1410587 - [ALL LANG] Services - Workloads - Provision has untranslated tab names and labels
- BZ - 1410588 - Floating IP CRUD UI Missing
- BZ - 1410791 - "Selected Day Percent Utilization" graph is absent
- BZ - 1410817 - Remove 'execute method' checkbox from Automation Schedule UI
- BZ - 1410818 - Filter out all the host controllers (except the domain ctrl) when 'counting' how many domains there are
- BZ - 1410819 - Fixed associations for network_port and openstack network_port service models
- BZ - 1410828 - [RFE] Find Azure orchestration stack failure from its operations
- BZ - 1410831 - Wrong label in c3 chart click menu
- BZ - 1410844 - [RFE] Include log output in automation.log
- BZ - 1410845 - Can't remove retirement date
- BZ - 1410846 - We might not be purging all tables that we should be
- BZ - 1410851 - Expose custom_attribute methods to ext_management_system service model
- BZ - 1410927 - Retire Service screens returns to Request page rather than staying on the My Services page
- BZ - 1411350 - Middleware provider reports the incorrect name of the domain
- BZ - 1411351 - Make container node web console button match vm's
- BZ - 1411353 - some of timelines controls have wrong text style
- BZ - 1411357 - Setting relationship data for generic objects in automate does not work
- BZ - 1411358 - UI : Pinning the service menu shows "Red Hat Insights" menu
- BZ - 1411359 - launch_ansible_job doesn't support multiple Ansible Tower providers in CloudForms
- BZ - 1411362 - URLs might not be generated properly due to string conversion issue
- BZ - 1411364 - [RFE] Support container/infra/cloud provider policies in the UI
- BZ - 1411368 - Tag Visibility - Container builds should honor tag visibility
- BZ - 1411369 - [RFE] CAPABILITY_IAM error after IAM role assignment with amazon cloudFormation template
- BZ - 1411370 - Unexpected Error when attempting to run Compliance of Last Known Configuration
- BZ - 1411372 - [Ansible Tower] - Search bar missing when navigated to Config manager e.g. from Compute
- BZ - 1411373 - Service : Click on stack from service Page shows "Invalid Input"
- BZ - 1411433 - Cloud Instances List View Table missing cells/improper rendering
- BZ - 1411459 - Display parent tenant only when it is allowed by RBAC
- BZ - 1411461 - TimeLine accordion broken on Storage Managers summary page
- BZ - 1411463 - [Beta 1] OpenStack Cloud Topology View: Icons are different in the selection and the main body for Availability Zones:
- BZ - 1411466 - Allow adding custom attributes with sections
- BZ - 1411471 - [Beta 1] When graph is close to border, menu is not visible
- BZ - 1411473 - Expose miq_groups to Automate
- BZ - 1411478 - Metrics Collector Workers memory threshold displayed as 200MiB in the Web UI, however they exit at 500MiB threshold
- BZ - 1411507 - [RFE] better traceback for Ansible Tower API errors
- BZ - 1411509 - Can't save retirement date without notification
- BZ - 1411511 - Notifications - subject may not have tenant.
- BZ - 1411514 - "Show detailed events" checkbox of Timelines view removes main events from the timelines
- BZ - 1411516 - [negative] Deleting subnet connected to instance raise 'Unexpected error encountered '
- BZ - 1411517 - can't add cloud provider with the same name again
- BZ - 1411518 - Service catalog Item entry point dialog text is overcomplicated
- BZ - 1411519 - [RFE] Security Groups missing CRUD UI
- BZ - 1411791 - VM details cluster field vanish, after update VM to another cluster.
- BZ - 1411793 - Typo on Middleware JMS Topic chart(Messages) and legends are in mix of plural or singular form
- BZ - 1411797 - Throws an Unexpected error while comparing clusters
- BZ - 1411878 - appliance_console crash when running Logfile Configuration without setting up database first
- BZ - 1411880 - VM's owner can't access VMs if "Username" field contains uppercase letters
- BZ - 1411881 - policy events appear w/o information which entity those belong to in Timelines
- BZ - 1411882 - undefined method `[]' for nil:NilClass [dashboard/tl_generate] while accessing Cloud Intelligence->Timelines page
- BZ - 1411885 - Incorrect zoom out icon on C&U graphs
- BZ - 1411941 - [RFE] Chargebacks for SCVMM
- BZ - 1411973 - In the tree view subcategories should not be opened, because there is so big list then
- BZ - 1411975 - Missing flash message after Middleware "Add Datasource" operation and wizard not reset
- BZ - 1411982 - UI: Add new Cloud Volume must be disabled when there is no cloud provider present.
- BZ - 1412206 - Selecting a Group Causes UI to Spin Indefinitely
- BZ - 1412221 - Discrepancy in costs reported between daily and monthly Chargeback reports
- BZ - 1412279 - Database replication is failing for LVDC
- BZ - 1412280 - Manipulation of custom_custom attributes on provider class Provider fails
- BZ - 1412283 - Chargeback rates should also be available for "daily"
- BZ - 1412284 - VM console button superfluously warns it may fail
- BZ - 1412285 - $websocket_log level is not configurable
- BZ - 1412286 - 'Show Full screen report' option missing in Configuration button on Saved Reports page
- BZ - 1412287 - Relax email validation constraints
- BZ - 1412288 - Generate notification for VM Provisioning error in automate
- BZ - 1412289 - Generate notification for Service Provisioning error in automate
- BZ - 1412290 - Attach/detach for Cloud Volume fails with "unknown method get_checked_volume_id" error
- BZ - 1412291 - Namespace: Name uniqueness validation is not case-insensitive, like other Automate objects.
- BZ - 1412293 - SSUI: Hand pointer on service icon
- BZ - 1412312 - Refresh failed when adding an OSE provider
- BZ - 1412314 - Filters are sometimes saved with different name
- BZ - 1412315 - When saving filter sometimes errs Name has been taken even when there was no filter with same name
- BZ - 1412316 - Saving filter errs Search Name is required even when value is filled in
- BZ - 1412383 - [RFE] Add performance based reports for OSE/OCP providers
- BZ - 1412396 - Host Summary for VMs report failing
- BZ - 1412682 - Issue with fog-openstack 'update_quota.rb'
- BZ - 1412738 - Use proper name of column in tooltip in charts
- BZ - 1412740 - Add validation message for chart with values
- BZ - 1412825 - [RFE] google provider connection using http_proxy configured in CloudForms
- BZ - 1413086 - Incorrect tooltip message displayed on region diagnostics configuration button
- BZ - 1413103 - Service dialogs items(tabs/boxes/elements) can be saved even when it doesn't fulfill requirements
- BZ - 1413113 - Error in my settings after timeout
- BZ - 1413119 - Removing actions from VM Compliance Check event removes the event from the compliance policy
- BZ - 1413123 - Tenant admin can create a super admin
- BZ - 1413154 - Clarify the "dedicated database instance" prompt in the console
- BZ - 1413167 - Wrong zone set for appliances in global region
- BZ - 1413205 - In Dashboard view for infrastructure, Recent hosts and Recent VMs are not filtered by provider
- BZ - 1413207 - Error in changing the RSA Key of an OpenStack Director provider
- BZ - 1413210 - SSH RSA key validation fails with error for OpenStack Infra Provider
- BZ - 1413212 - [RFE] Routers do not allow you to add/remove interfaces
- BZ - 1413621 - Check compliance of last known configuration crash
- BZ - 1413677 - Network Router provisioning must call and use raw create method
- BZ - 1413695 - [beta1] Openstack attach volume should only list available volumes in the drop down
- BZ - 1413769 - The counter ae_state_retries is not incremented if $evm.root['ae_result'] = 'retry' is set in a state machine on_exit method
- BZ - 1414012 - Provider under catalog item visible for a user who don't to have a permission for viewing a provider
- BZ - 1414013 - [RFE] - Expose mechanism in AUTOMATE allowing coder to indicate that the automate retry should be targeted to the same machine initiating the retry
- BZ - 1414014 - A tag control element in a dialog called from a button is not passed to the button method
- BZ - 1414015 - "abandon changes" dialog appears on attempt to open another location via menu from timelines page
- BZ - 1414550 - "Delete" was removed from Power Action in VM Details Menu
- BZ - 1414583 - SSUI lets you save a retirement date from the past
- BZ - 1414848 - The chargeback report gives wrong information
- BZ - 1414870 - Created filters in Virtual Machines are not displayed in the tree until the page is refreshed
- BZ - 1414872 - Adding filter in Datastore Clusters results in missing tree view
- BZ - 1414876 - Created filters in datastores are not displayed until the page is refreshed
- BZ - 1414882 - podfying cfme: please add "less" command to initial application deployment
- BZ - 1414884 - net-tools RPM not available on CFME containers (podified or monolithic)
- BZ - 1414885 - OpenStack VM Console returns with an argument error
- BZ - 1414886 - Central Admin - Impossible to distinguish Customize Templates
- BZ - 1414887 - Suspending role in diagnostics Error caught: [ActiveRecord::RecordNotFound] Couldn't find MiqServer with 'id'=0
- BZ - 1414888 - No flash message when importing custom report
- BZ - 1414889 - Broken string in Title
- BZ - 1414891 - Containers SmartState analysis not working for images from unknown image registry,
- BZ - 1415217 - Tenant admin can create groups for other tenants
- BZ - 1415247 - Target refresh of VM does not update host
- BZ - 1415248 - Missing memory unit on Cluster Utilization graphs on provider dashboard view
- BZ - 1415332 - A critical section read of the worker's heartbeat information was not protected with a mutex
- BZ - 1415333 - Ec2 events are not associated to vms
- BZ - 1415754 - SSUI: Unable to save a blank retirement date to remove previously saved retirement date
- BZ - 1415755 - podfying cfme: clean-up evm.log in the cfme pod
- BZ - 1415756 - [Azure LB] - broken table in List view
- BZ - 1416001 - [FloatDomainError]: Infinity Method in Chargebacks for SCVMM
- BZ - 1416077 - Live migration to different cluster doesn't work for RHV
- BZ - 1416093 - Same value gets repeated multiple times on Y-axis of C&U graphs
- BZ - 1416821 - VHD image for AWS mounts database drive as /mnt
- BZ - 1416826 - VMware EMS Refresh fails with "block (2 levels) in getMoPropMulti' error
- BZ - 1417197 - New fields (e.g. tags, custom attributes) do not appear in Report Editor
- BZ - 1417974 - refresh of OCP 3.2 crashes with permission error in recovery
- BZ - 1418400 - Impossible to assign an alert profile
- BZ - 1418749 - authentication_key exposure missing from EMS service model in 4.2GA
- BZ - 1418846 - Discrepancy in resource usage reported between daily, weekly, monthly Chargeback reports
- BZ - 1419186 - [Regression]Error generating Chargeback reports
- BZ - 1419680 - Container Provider: Image Registries are not collected from Images originating from Openshift
- BZ - 1419738 - SSUI: Clicking on the 'Total Requests' link on SSUI Dashboard doesn't take you to the Requests page
- BZ - 1420555 - Service dialog dropdown differs from what is processed by service request
- BZ - 1420888 - [RHV] VM provision->Environment-> host list decreases, after 1 or more Vm provision
- BZ - 1420916 - Refresh of infrastructure provider fails with bad request with OSP director as provider
- BZ - 1420917 - Refresh of OSP10 OpenStack/Director undercloud failing
- BZ - 1422178 - Adding disk to a VM in RHV provider, via VM reconfigure, does not activate it
- BZ - 1422241 - Utilization data for OSP cloud instances does not show up
- BZ - 1423031 - VMware : Failure in snapshot revert
- BZ - 1423033 - Timeline's minus button is corrupted in IE11
- BZ - 1424260 - BootstrapTreeview loses the focus after creating or deleting Container Policies
- BZ - 1424275 - UI: "Check Box" label is not aligned properly.
- BZ - 1424977 - CVE-2017-2632 cfme: tenant administrator can create a group with higher permissions
Red Hat CloudForms 4.2
SRPM | |
---|---|
cfme-5.7.1.3-1.el7cf.src.rpm | SHA-256: a3abc415fed150d8f5e110947ae34e38a5dadf84aec8076613772646c7f988b8 |
cfme-appliance-5.7.1.3-1.el7cf.src.rpm | SHA-256: 31bd11bd05cc9b06776dd47a91933c42e436d39239b05fc4e61a68fb95a03056 |
cfme-gemset-5.7.1.3-1.el7cf.src.rpm | SHA-256: 08ef16de9362972f1c187056e1d9c4471c9d406f5a25908217852b1b51569563 |
x86_64 | |
cfme-5.7.1.3-1.el7cf.x86_64.rpm | SHA-256: 63c18d9367a406c17fa75032ccc5d7737e7d8e0661b8829f88f3af9f1b843d76 |
cfme-appliance-5.7.1.3-1.el7cf.x86_64.rpm | SHA-256: 1433f1940c0dadb0a969e70aeb280296a259f0a26c539f96375e9ce0a7abaec9 |
cfme-appliance-debuginfo-5.7.1.3-1.el7cf.x86_64.rpm | SHA-256: 17a77292b8f35ab0a0e0925ff83b9eec1e0aba7a136e03fee38644616ef17389 |
cfme-debuginfo-5.7.1.3-1.el7cf.x86_64.rpm | SHA-256: 6bd4de9a249ea131c225ebfa2752cb0f89f2ac517452cdaf41fb5955b8e521ae |
cfme-gemset-5.7.1.3-1.el7cf.x86_64.rpm | SHA-256: 5515662a5e6a132ae53f2562cde44d65ea50bdc58a865cbcbd55a944a6d8c144 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.