RHSA-2017:1601 - Security Advisory

Topic

Updates for cfme, cfme-appliance, cfme-gemset,
rh-ruby23-rubygem-nokogiri, and rh-ruby23-rubygem-ovirt-engine-sdk4 are now
available for CloudForms Management Engine 5.7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

rh-ruby23-rubygem-nokogiri provides Nokogiri, which is an HTML, XML, SAX,
and Reader parser. Among Nokogiri's many features is the ability to search
documents using XPath or CSS3 selectors.

rh-ruby23-rubygem-ovirt-engine-sdk4 provides the ruby SDK for the oVirt
Engine API.

The following packages have been upgraded to a later upstream version: cfme
(5.7.3.2), cfme-gemset (5.7.3.2), rh-ruby23-rubygem-nokogiri (1.7.2), cfme-appliance (5.7.3.2), rh-ruby23-rubygem-ovirt-engine-sdk4 (4.1.5). (BZ#1442774, BZ#1459319)

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Technical Notes document linked to in the References section.

Security Fix(es):

• CloudForms includes a default SSL/TLS certificate for the web server.

This certificate is replaced at install time. However if an attacker were
able to man-in-the-middle an administrator while installing the new
certificate, the attacker could get a copy of the uploaded private key allowing for future attacks. (CVE-2016-4457)

• The dialog for creating cloud volumes (cinder provider) in CloudForms

does not filter cloud tenants by user. An attacker with the ability to
create storage volumes could use this to create storage volumes for any other tenant. (CVE-2017-7497)

• A flaw was found in the CloudForms API. A user with permissions to use

the MiqReportResults capability within the API could potentially view data
from other tenants or groups to which they should not have access.
(CVE-2016-7047)

The CVE-2016-4457 and CVE-2016-7047 issues were discovered by Simon Lukasik
(Red Hat) and the CVE-2017-7497 issue was discovered by Gellert Kis (Red
Hat).

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat CloudForms 4.2 x86_64

Fixes

• BZ - 1322396 - [RFE] Allow for deletion of group when users belong to another group
• BZ - 1341308 - CVE-2016-4457 CFME: default certificate used across all installs
• BZ - 1350340 - Downloading the job templates of Ansible tower displays wrong data
• BZ - 1374215 - CVE-2016-7047 cfme: API leaks any MiqReportResult
• BZ - 1402992 - VM snapshot: revert option is enabled, for Active VM
• BZ - 1403358 - Add Provider->Type "RHEVM" should change to "RHV"
• BZ - 1414869 - VMRC is not working if IE compatibility mode is disabled
• BZ - 1419604 - [AnsibleTowerClient::ConnectionError]: Your license does not allow adding surveys
• BZ - 1428944 - Vulnerable JQuery Version
• BZ - 1430468 - Parent tenant displayed in list view when allowed by RBAC
• BZ - 1434152 - [RFE] Support for custom Amazon Regions in Provider
• BZ - 1434952 - delete action in /api/orchestration_templates results in error
• BZ - 1436074 - Back/Cancel buttton is missing on host drift comparison page
• BZ - 1436222 - The option of VM migration to the same host it is already running on is possible
• BZ - 1436226 - Persistent volume relationship link broken
• BZ - 1436228 - When the same action is used twice for a policy, action icons are inconsistent
• BZ - 1436232 - WebUI - Web Console button is enabled for archived vm's
• BZ - 1436233 - Container Provider - Capacity & Utilization: The page you were looking for doesn't exist
• BZ - 1436236 - Can't add provider specific catalog items to global region
• BZ - 1436237 - Event filter For Openstack::InfraManager
• BZ - 1436756 - when editing an existing user the field "Full Name" has the value of the field "Username"
• BZ - 1437146 - Policy conditions based on 'VM and Instance.vLANs' field not working
• BZ - 1437148 - [AWS][SDN] - Cannot edit or create Cloud networks/subnets
• BZ - 1437595 - Datepicker freezes after the first run of the "C & U Gap Collection".
• BZ - 1437909 - "Save" and "Reset" buttons are absent when adding log collection configuration
• BZ - 1437912 - Edit log collection menu has no spinner
• BZ - 1437925 - Policy to prevent a host scan request did not work
• BZ - 1438094 - [Regression] Azure provider refresh fails
• BZ - 1438866 - [VMWARE]Auto_placement provision fails due to selecting Host in Maintenance state
• BZ - 1439291 - Azure metrics collection failing with "MonitoringServiceException"
• BZ - 1439314 - service dialog can be submitted before entry point code on dynamic fields has completed execution
• BZ - 1439319 - SUI : Cockpit icon tooltip gets in the way of button click
• BZ - 1439789 - [RFE] Allow for template network interface type to be overwritten during a provision
• BZ - 1439945 - Vmware infra provider refresh fail
• BZ - 1440399 - UI: Hover text is overlapped by navigation menu on Topology
• BZ - 1440400 - UI: Hover text associated for button is not shown properly on Infrastructure Topology page.
• BZ - 1440401 - Unable to save automation task schedule using eastern time zone
• BZ - 1440402 - Policy to prevent a VM retire request did not work
• BZ - 1440701 - [RBAC] - Spinner when creating new role
• BZ - 1441199 - Error '[NoMethodError]: undefined method `base_model' for NilClass:Class' generating chargeback for container images report
• BZ - 1441202 - OpenShift Refresh duration exceeds default two hour timeout and grows > 8GB never fully completing
• BZ - 1441204 - Message timeout of 600 seconds does not allow perf_capture_timer to finish
• BZ - 1441251 - Unexpected error while executing a custom button
• BZ - 1441272 - queue_name_for_metrics_collection raises an exception when ems is nil
• BZ - 1441293 - Tag Visibility | Error: undefined method `base_class' for NilClass:Class on selecting container image on containers page
• BZ - 1441331 - appliance_console doesn't ask for database disk while setting secondy DB appliance
• BZ - 1441401 - Enable Central Admin UI has code artifact
• BZ - 1441648 - methods not sorted in frame on right side in automate
• BZ - 1441727 - Smartstate Analysis Error Unable to mount filesystem Unable to determine port used by VixDiskLib VMware
• BZ - 1441742 - When moving AWS provider from one zone to another Network Manager info no longer updates
• BZ - 1441752 - null result when deleting orchestration templates using REST API
• BZ - 1441754 - Get IP address automation code not working Azure
• BZ - 1441855 - OpenShift provider event storm POD_FAILEDSYNC
• BZ - 1442105 - UI: Topology - unable to confirm search by pressing the Return key, reacts only to a mouse click
• BZ - 1442156 - [SDN] - Disable CRUD actions for Azure/Amazon Network providers
• BZ - 1442164 - OSP refresh fail with Validation failed: Name can't be blank
• BZ - 1442169 - When using dynamic drop downs, sorting of items doesn't work in self service portal.
• BZ - 1442177 - EC2 provision dialogs do not support selecting multiple IPs for multi provision
• BZ - 1442764 - OpenStack refresh fail with nil:NilClass
• BZ - 1442769 - Rhev inventory refresh fails after rhev upgrade from 3.6 to 4.0
• BZ - 1442774 - Update oVirt SDK to version 4.1.z
• BZ - 1442865 - Automate import does not update display_name and description attributes in Namespace objects
• BZ - 1442877 - cloud_init re-runs on appliacne reboot, static networking configuration lost
• BZ - 1443246 - Clicking on Group or Role name link/icon in the user's details page does nothing
• BZ - 1443248 - Using REST API - encountering "NoMethodError: undefined method `key?' for #<Array..."
• BZ - 1443563 - NoMethodError Nil actioncable / pubsub_adapter
• BZ - 1443572 - the amazon best fit method sometimes attempts to select networks that aren't available to the region in use
• BZ - 1443580 - After saving default filter in datastores and clearing it infinispinner
• BZ - 1443697 - Full refresh of second VMware provider isn't automatically started after it is added
• BZ - 1443799 - Containers may get (ems_id and old_ems_id) == nil
• BZ - 1444037 - UI: List views forget checked items when resorted by clicking on a column header.
• BZ - 1444041 - Chargeback for container images report editor filter tab produces an error if there are too many images in the database
• BZ - 1444052 - Chargeback report generation keeps whole openshift env in the memory (even after it finishes)
• BZ - 1444062 - Self Service UI does not properly select defaults for dynamic drop downs
• BZ - 1444178 - [SDN][Azure] - Edit Tags button clickable after Net provider refresh without selected provider
• BZ - 1444182 - Sorting configuration providers by url throws "undefinedColumn: ERROR: column providers.url does not exist"
• BZ - 1444214 - Ensure managers change zone and provider region with cloud manager (OpenStack)
• BZ - 1444220 - Ensure managers change zone and provider region with cloud manager (Google)
• BZ - 1444486 - Policy Simulation results tree nodes are not properly escaped
• BZ - 1444494 - Expose container projects and template parms in service model
• BZ - 1444875 - [SDN][EC2] - singular in downloaded files and subjects
• BZ - 1445318 - [RFE] CFME 4.1 EMS Refresh should be targeted for folder create, as opposed to a full EMS Refresh
• BZ - 1445356 - [RFE] Edit action is not been supported for VMS resources.
• BZ - 1445383 - After reintroducing a failed primary node, there are old replication slots left on the "new" node
• BZ - 1445806 - Getting undefined method `get_folder_paths' after applying RHSA-2017:0898
• BZ - 1445901 - Error in re-configuring service: "Error during 'Provisioning': undefined method `match' for 0:Fixnum Did you mean? catch"
• BZ - 1445902 - [NoMethodError]: undefined method `merge!' for nil:NilClass encountered for OpenShift full refresh
• BZ - 1446305 - Reintroducing a standby node that has already be reintroduced causes failure
• BZ - 1446773 - Change Cluser/Deployment Roles to Resource Pools on cluster summary page
• BZ - 1446787 - Month selection arrows for C&U Gap collection are hidden in the UI
• BZ - 1446791 - incorrect href attribute values for Foreman providers
• BZ - 1447091 - Service Catalogs: Dialogs are hanging and keeps buffering
• BZ - 1448046 - UI lag due to more than 3650 messages in notification
• BZ - 1448073 - [vSphere] UI-RBAC: undefined method `all' for nil:NilClass error appears while setting ownership for template
• BZ - 1448140 - IPv6 addresses not selectable field for reports
• BZ - 1448142 - IPv6 addresses not rendered on details page
• BZ - 1448148 - Containers - old archived container entities are not purged
• BZ - 1448418 - Default dynamic text boxes should be blank
• BZ - 1448421 - Default value of dynamic dropdown list not honored CloudForms 4.2
• BZ - 1448530 - [RFE] ReFS FileSystem Support
• BZ - 1448538 - redhat_CustomizeRequest Provisioning Type: does not match, skipping processing
• BZ - 1448870 - [Regression] storage.perf_capture ERROR
• BZ - 1448872 - vmware_CustomizeRequest Provisioning Type: ManageIQ::Providers::Vmware::InfraManager::Provision does not match, skipping processing
• BZ - 1449389 - It is impossible to identify the source process/appliance for each connection in pg_stat_activity
• BZ - 1449392 - Benchmark timings are incorrect for all workers in evm.log
• BZ - 1449394 - Action button for verifying replication subscriptions on the far right is to small
• BZ - 1449396 - In my settings page at login Configuration management shouldn't be in Infrastructure
• BZ - 1449397 - error when creating a group + setting the tag in create
• BZ - 1449398 - Chargeback Report VM identification (UUID)
• BZ - 1449403 - GCE Boot Disk Size options should be sorted by actual size
• BZ - 1449753 - retirement runs in any zone as of 5.7.1
• BZ - 1450084 - Failed to remove interface from router
• BZ - 1450086 - Network Topology does not show Cloud Routers
• BZ - 1450088 - Cloud Router Summary does not show subnets which connected it
• BZ - 1450150 - CFME: Dialog for creating cloud volumes does not filter cloud tenants CVE-2017-7497
• BZ - 1450217 - The credentials for Automate Git Repository wasn't updating the correct authentications type
• BZ - 1450421 - service dialog dynamic code works in admin portal but not in self-service portal
• BZ - 1450508 - Create the .pgpass and print required conf for standby on primary database servers
• BZ - 1450511 - [RFE] Make the process of reintroducing a failed HA node more user-friendly
• BZ - 1450512 - In new db master node, pg_xlog directory got fulled
• BZ - 1450514 - SSA Fails in Windows workloads but not in Linux ones on OSP9
• BZ - 1450519 - Openstack services missing on node page
• BZ - 1450525 - Cannot select placement for Cloud Volumes (openstack cinder storage provider) and this volumes are created in different tenants during provisioning of the instance.
• BZ - 1450526 - MiqVimBrokerWorker exceeding memory after upgrading from 5.6 -> 5.7
• BZ - 1451396 - CFME 5.7.2.1 does not support group/tag access restrictions for performance reports
• BZ - 1451827 - Existing or Newly created service added to parent service via REST API or from automation is not visible in UI
• BZ - 1452172 - When adding Disk with reconfiguration on vmware, after 16th Disk, a new controller is created hardcoded to Parallel Type
• BZ - 1452227 - [RFE] Azure managed images not discovered
• BZ - 1452350 - customers unable to access CFME thru UI due to chronic unpredictable termination of httpd service
• BZ - 1452363 - Raw methods exposed for Cloud Tenant instead of non-raw
• BZ - 1452383 - Calendar control on Cluster Utilization page gets clipped
• BZ - 1452764 - reports do not distinguish between same name custom attributes with different sections
• BZ - 1452824 - [Microsoft]Auto_placement provision fails due to selecting Host in Maintenance state
• BZ - 1454383 - Unable to collect inventory for 40,000 container images, results in kubeclient timeout
• BZ - 1454442 - Tag Information Not Displayed on Catalog Items
• BZ - 1454443 - Resetting planning results in flash msg twice
• BZ - 1454446 - Containers with empty "imageID" field points to wrong images
• BZ - 1454618 - Forbidden Error when creating a cloud network
• BZ - 1455302 - Can not get kernel version from reports
• BZ - 1455600 - For OSP10 provider, Cinder volume creation is never finishing on the UI
• BZ - 1455670 - Service catalog service dialog refresh function in cf 4.2 behaves differently from cf 4.0
• BZ - 1455686 - Azure provision still needs First/Last name
• BZ - 1455933 - incorrect href keys for service and automation requests accessed through /api/requests
• BZ - 1456021 - Cloudforms causes a Token Storm on OSP10 overcloud
• BZ - 1457911 - Schedule Time value is reset during editing provisioning request
• BZ - 1457924 - Remove policy checking for request_host_vmotion_enabled event
• BZ - 1458810 - Failed while launching imported report based on Chargeback for Projects via REST API.
• BZ - 1458811 - Archived container entities are not destroyed when the provider is deleted
• BZ - 1459180 - Cannot filter report with custom attributes
• BZ - 1459307 - Retirement - log the zone when raising a retirement event.
• BZ - 1459319 - Azure refresh results in timeout errors
• BZ - 1459563 - Incorrect storage used in Chargeback reports
• BZ - 1460979 - Tag Visibility | Access Controll: All users, groups, and tenants are visible for restricted user
• BZ - 1461170 - Valid SCVMM file share not showing up as datastore on host.
• BZ - 1461540 - ManageIQ icon on SUI order page
• BZ - 1461886 - Allow identify replicated interfaces on HA environments
• BZ - 1463669 - Missing Memory graphs on Azure Availability zone Utilization page for daily interval

CVEs

• CVE-2016-4457
• CVE-2016-7047
• CVE-2017-7497

References

• https://access.redhat.com/security/updates/classification/#important