Synopsis

Important: CFME 5.7.3 security, bug fix and enhancement update

Type/Severity

Security Advisory: Important

Topic

Updates for cfme, cfme-appliance, cfme-gemset,
rh-ruby23-rubygem-nokogiri, and rh-ruby23-rubygem-ovirt-engine-sdk4 are now
available for CloudForms Management Engine 5.7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

rh-ruby23-rubygem-nokogiri provides Nokogiri, which is an HTML, XML, SAX,
and Reader parser. Among Nokogiri's many features is the ability to search
documents using XPath or CSS3 selectors.

rh-ruby23-rubygem-ovirt-engine-sdk4 provides the ruby SDK for the oVirt
Engine API.

The following packages have been upgraded to a later upstream version: cfme
(5.7.3.2), cfme-gemset (5.7.3.2), rh-ruby23-rubygem-nokogiri (1.7.2), cfme-appliance (5.7.3.2), rh-ruby23-rubygem-ovirt-engine-sdk4 (4.1.5). (BZ#1442774, BZ#1459319)

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Technical Notes document linked to in the References section.

Security Fix(es):

• CloudForms includes a default SSL/TLS certificate for the web server.
  This certificate is replaced at install time. However if an attacker were
  able to man-in-the-middle an administrator while installing the new
  certificate, the attacker could get a copy of the uploaded private key allowing for future attacks. (CVE-2016-4457)
  
• The dialog for creating cloud volumes (cinder provider) in CloudForms
  does not filter cloud tenants by user. An attacker with the ability to
  create storage volumes could use this to create storage volumes for any other tenant. (CVE-2017-7497)
  
• A flaw was found in the CloudForms API. A user with permissions to use
  the MiqReportResults capability within the API could potentially view data
  from other tenants or groups to which they should not have access.
  (CVE-2016-7047)
  

The CVE-2016-4457 and CVE-2016-7047 issues were discovered by Simon Lukasik
(Red Hat) and the CVE-2017-7497 issue was discovered by Gellert Kis (Red
Hat).

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat CloudForms 4.2 x86_64

Fixes

• BZ - 1322396 - [RFE] Allow for deletion of group when users belong to another group
• BZ - 1341308 - CVE-2016-4457 CFME: default certificate used across all installs
• BZ - 1350340 - Downloading the job templates of Anisble tower displays wrong data
• BZ - 1402992 - VM snapshot: revert option is enabled, for Active VM
• BZ - 1403358 - Add Provider->Type "RHEVM" should change to "RHV"
• BZ - 1414869 - VMRC is not working if IE compatibility mode is disabled
• BZ - 1419604 - [AnsibleTowerClient::ConnectionError]: Your license does not allow adding surveys
• BZ - 1428944 - Vulnerable JQuery Version
• BZ - 1430468 - Parent tenant displayed in list view when allowed by RBAC
• BZ - 1434152 - [RFE] Support for custom Amazon Regions in Provider
• BZ - 1434952 - delete action in /api/orchestration_templates results in error
• BZ - 1436074 - Back/Cancel buttton is missing on host drift comparison page
• BZ - 1436222 - The option of VM migration to the same host it is already running on is possible
• BZ - 1436226 - Persistent volume relationship link broken
• BZ - 1436228 - When the same action is used twice for a policy, action icons are inconsistent
• BZ - 1436232 - WebUI - Web Console button is enabled for archived vm's
• BZ - 1436233 - Container Provider - Capacity & Utilization: The page you were looking for doesn't exist
• BZ - 1436236 - Can't add provider specific catalog items to global region
• BZ - 1436237 - Event filter For Openstack::InfraManager
• BZ - 1436756 - when editing an existing user the field "Full Name" has the value of the field "Username"
• BZ - 1437146 - Policy conditions based on 'VM and Instance.vLANs' field not working
• BZ - 1437148 - [AWS][SDN] - Cannot edit or create Cloud networks/subnets
• BZ - 1437595 - Datepicker freezes after the first run of the "C & U Gap Collection".
• BZ - 1437909 - "Save" and "Reset" buttons are absent when adding log collection configuration
• BZ - 1437912 - Edit log collection menu has no spinner
• BZ - 1437925 - Policy to prevent a host scan request did not work
• BZ - 1438094 - [Regression] Azure provider refresh fails
• BZ - 1438866 - [VMWARE]Auto_placement provision fails due to selecting Host in Maintenance state
• BZ - 1439291 - Azure metrics collection failing with "MonitoringServiceException"
• BZ - 1439314 - service dialog can be submitted before entry point code on dynamic fields has completed execution
• BZ - 1439319 - SUI : Cockpit icon tooltip gets in the way of button click
• BZ - 1439789 - [RFE] Allow for template network interface type to be overwritten during a provision
• BZ - 1439945 - Vmware infra provider refresh fail
• BZ - 1440399 - UI: Hover text is overlapped by navigation menu on Topology
• BZ - 1440400 - UI: Hover text associated for button is not shown properly on Infrastructure Topology page.
• BZ - 1440401 - Unable to save automation task schedule using eastern time zone
• BZ - 1440402 - Policy to prevent a VM retire request did not work
• BZ - 1440701 - [RBAC] - Spinner when creating new role
• BZ - 1441199 - Error '[NoMethodError]: undefined method `base_model' for NilClass:Class' generating chargeback for container images report
• BZ - 1441202 - OpenShift Refresh duration exceeds default two hour timeout and grows > 8GB never fully completing
• BZ - 1441204 - Message timeout of 600 seconds does not allow perf_capture_timer to finish
• BZ - 1441251 - Unexpected error while executing a custom button
• BZ - 1441272 - queue_name_for_metrics_collection raises an exception when ems is nil
• BZ - 1441293 - Tag Visibility | Error: undefined method `base_class' for NilClass:Class on selecting container image on containers page
• BZ - 1441331 - appliance_console doesn't ask for database disk while setting secondy DB appliance
• BZ - 1441401 - Enable Central Admin UI has code artifact
• BZ - 1441648 - methods not sorted in frame on right side in automate
• BZ - 1441727 - Smartstate Analysis Error Unable to mount filesystem Unable to determine port used by VixDiskLib VMware
• BZ - 1441742 - When moving AWS provider from one zone to another Network Manager info no longer updates
• BZ - 1441752 - null result when deleting orchestration templates using REST API
• BZ - 1441754 - Get IP address automation code not working Azure
• BZ - 1441855 - OpenShift provider event storm POD_FAILEDSYNC
• BZ - 1442105 - UI: Topology - unable to confirm search by pressing the Return key, reacts only to a mouse click
• BZ - 1442156 - [SDN] - Disable CRUD actions for Azure/Amazon Network providers
• BZ - 1442164 - OSP refresh fail with Validation failed: Name can't be blank
• BZ - 1442169 - When using dynamic drop downs, sorting of items doesn't work in self service portal.
• BZ - 1442177 - EC2 provision dialogs do not support selecting multiple IPs for multi provision
• BZ - 1442764 - OpenStack refresh fail with nil:NilClass
• BZ - 1442769 - Rhev inventory refresh fails after rhev upgrade from 3.6 to 4.0
• BZ - 1442774 - Update oVirt SDK to version 4.1.z
• BZ - 1442865 - Automate import does not update display_name and description attributes in Namespace objects
• BZ - 1442877 - cloud_init re-runs on appliacne reboot, static networking configuration lost
• BZ - 1443246 - Clicking on Group or Role name link/icon in the user's details page does nothing
• BZ - 1443248 - Using REST API - encountering "NoMethodError: undefined method `key?' for #<Array..."
• BZ - 1443563 - NoMethodError Nil actioncable / pubsub_adapter
• BZ - 1443572 - the amazon best fit method sometimes attempts to select networks that aren't available to the region in use
• BZ - 1443580 - After saving default filter in datastores and clearing it infinispinner
• BZ - 1443697 - Full refresh of second VMware provider isn't automatically started after it is added
• BZ - 1443799 - Containers may get (ems_id and old_ems_id) == nil
• BZ - 1444037 - UI: List views forget checked items when resorted by clicking on a column header.
• BZ - 1444041 - Chargeback for container images report editor filter tab produces an error if there are too many images in the database
• BZ - 1444052 - Chargeback report generation keeps whole openshift env in the memory (even after it finishes)
• BZ - 1444062 - Self Service UI does not properly select defaults for dynamic drop downs
• BZ - 1444178 - [SDN][Azure] - Edit Tags button clickable after Net provider refresh without selected provider
• BZ - 1444182 - Sorting configuration providers by url throws "undefinedColumn: ERROR: column providers.url does not exist"
• BZ - 1444214 - Ensure managers change zone and provider region with cloud manager (OpenStack)
• BZ - 1444220 - Ensure managers change zone and provider region with cloud manager (Google)
• BZ - 1444486 - Policy Simulation results tree nodes are not properly escaped
• BZ - 1444494 - Expose container projects and template parms in service model
• BZ - 1444875 - [SDN][EC2] - singular in downloaded files and subjects
• BZ - 1445318 - [RFE] CFME 4.1 EMS Refresh should be targeted for folder create, as opposed to a full EMS Refresh
• BZ - 1445356 - [RFE] Edit action is not been supported for VMS resources.
• BZ - 1445383 - After reintroducing a failed primary node, there are old replication slots left on the "new" node
• BZ - 1445806 - Getting undefined method `get_folder_paths' after applying RHSA-2017:0898
• BZ - 1445901 - Error in re-configuring service: "Error during 'Provisioning': undefined method `match' for 0:Fixnum Did you mean? catch"
• BZ - 1445902 - [NoMethodError]: undefined method `merge!' for nil:NilClass encountered for OpenShift full refresh
• BZ - 1446305 - Reintroducing a standby node that has already be reintroduced causes failure
• BZ - 1446773 - Change Cluser/Deployment Roles to Resource Pools on cluster summary page
• BZ - 1446787 - Month selection arrows for C&U Gap collection are hidden in the UI
• BZ - 1446791 - incorrect href attribute values for Foreman providers
• BZ - 1447091 - Service Catalogs: Dialogs are hanging and keeps buffering
• BZ - 1448046 - UI lag due to more than 3650 messages in notification
• BZ - 1448073 - [vSphere] UI-RBAC: undefined method `all' for nil:NilClass error appears while setting ownership for template
• BZ - 1448140 - IPv6 addresses not selectable field for reports
• BZ - 1448142 - IPv6 addresses not rendered on details page
• BZ - 1448148 - Containers - old archived container entities are not purged
• BZ - 1448418 - Default dynamic text boxes should be blank
• BZ - 1448421 - Default value of dynamic dropdown list not honored CloudForms 4.2
• BZ - 1448530 - [RFE] ReFS FileSystem Support
• BZ - 1448538 - redhat_CustomizeRequest Provisioning Type: does not match, skipping processing
• BZ - 1448870 - [Regression] storage.perf_capture ERROR
• BZ - 1448872 - vmware_CustomizeRequest Provisioning Type: ManageIQ::Providers::Vmware::InfraManager::Provision does not match, skipping processing
• BZ - 1449389 - It is impossible to identify the source process/appliance for each connection in pg_stat_activity
• BZ - 1449392 - Benchmark timings are incorrect for all workers in evm.log
• BZ - 1449394 - Action button for verifying replication subscriptions on the far right is to small
• BZ - 1449396 - In my settings page at login Configuration management shouldn't be in Infrastructure
• BZ - 1449397 - error when creating a group + setting the tag in create
• BZ - 1449398 - Chargeback Report VM identification (UUID)
• BZ - 1449403 - GCE Boot Disk Size options should be sorted by actual size
• BZ - 1449753 - retirement runs in any zone as of 5.7.1
• BZ - 1450084 - Failed to remove interface from router
• BZ - 1450086 - Network Topology does not show Cloud Routers
• BZ - 1450088 - Cloud Router Summary does not show subnets which connected it
• BZ - 1450150 - CFME: Dialog for creating cloud volumes does not filter cloud tenants CVE-2017-7497
• BZ - 1450217 - The credentials for Automate Git Repository wasn't updating the correct authentications type
• BZ - 1450421 - service dialog dynamic code works in admin portal but not in self-service portal
• BZ - 1450508 - Create the .pgpass and print required conf for standby on primary database servers
• BZ - 1450511 - [RFE] Make the process of reintroducing a failed HA node more user-friendly
• BZ - 1450512 - In new db master node, pg_xlog directory got fulled
• BZ - 1450514 - SSA Fails in Windows workloads but not in Linux ones on OSP9
• BZ - 1450519 - Openstack services missing on node page
• BZ - 1450525 - Cannot select placement for Cloud Volumes (openstack cinder storage provider) and this volumes are created in different tenants during provisioning of the instance.
• BZ - 1450526 - MiqVimBrokerWorker exceeding memory after upgrading from 5.6 -> 5.7
• BZ - 1451396 - CFME 5.7.2.1 does not support group/tag access restrictions for performance reports
• BZ - 1451827 - Existing or Newly created service added to parent service via REST API or from automation is not visible in UI
• BZ - 1452172 - When adding Disk with reconfiguration on vmware, after 16th Disk, a new controller is created hardcoded to Parallel Type
• BZ - 1452227 - [RFE] Azure managed images not discovered
• BZ - 1452350 - customers unable to access CFME thru UI due to chronic unpredictable termination of httpd service
• BZ - 1452363 - Raw methods exposed for Cloud Tenant instead of non-raw
• BZ - 1452383 - Calendar control on Cluster Utilization page gets clipped
• BZ - 1452764 - reports do not distinguish between same name custom attributes with different sections
• BZ - 1452824 - [Microsoft]Auto_placement provision fails due to selecting Host in Maintenance state
• BZ - 1454383 - Unable to collect inventory for 40,000 container images, results in kubeclient timeout
• BZ - 1454442 - Tag Information Not Displayed on Catalog Items
• BZ - 1454443 - Resetting planning results in flash msg twice
• BZ - 1454446 - Containers with empty "imageID" field points to wrong images
• BZ - 1454618 - Forbidden Error when creating a cloud network
• BZ - 1455302 - Can not get kernel version from reports
• BZ - 1455600 - For OSP10 provider, Cinder volume creation is never finishing on the UI
• BZ - 1455670 - Service catalog service dialog refresh function in cf 4.2 behaves differently from cf 4.0
• BZ - 1455686 - Azure provision still needs First/Last name
• BZ - 1455933 - incorrect href keys for service and automation requests accessed through /api/requests
• BZ - 1456021 - Cloudforms causes a Token Storm on OSP10 overcloud
• BZ - 1457911 - Schedule Time value is reset during editing provisioning request
• BZ - 1457924 - Remove policy checking for request_host_vmotion_enabled event
• BZ - 1458810 - Failed while launching imported report based on Chargeback for Projects via REST API.
• BZ - 1458811 - Archived container entities are not destroyed when the provider is deleted
• BZ - 1459180 - Cannot filter report with custom attributes
• BZ - 1459307 - Retirement - log the zone when raising a retirement event.
• BZ - 1459319 - Azure refresh results in timeout errors
• BZ - 1459563 - Incorrect storage used in Chargeback reports
• BZ - 1460979 - Tag Visibility | Access Controll: All users, groups, and tenants are visible for restricted user
• BZ - 1461170 - Valid SCVMM file share not showing up as datastore on host.
• BZ - 1461540 - ManageIQ icon on SUI order page
• BZ - 1461886 - Allow identify replicated interfaces on HA environments
• BZ - 1463669 - Missing Memory graphs on Azure Availability zone Utilization page for daily interval

CVEs

• CVE-2016-4457
• CVE-2016-7047
• CVE-2017-7497

References

• https://access.redhat.com/security/updates/classification/#important

Red Hat CloudForms 4.2

SRPM
cfme-5.7.3.2-1.el7cf.src.rpm	SHA-256: 580753c8550d6265661b34ecd01c69fa25b5d1d42cd15a03bb600d6eb6b78a3e
cfme-appliance-5.7.3.2-1.el7cf.src.rpm	SHA-256: a296b0bfe392d64fb7e74c1546239dd2492e3f9f32f16ad6a5646f7316ea1a7e
cfme-gemset-5.7.3.2-1.el7cf.src.rpm	SHA-256: f0900aee830160e78d456c7c108b5af9ff4e4548df82c41d706ab98ecf4afcee
rh-ruby23-rubygem-nokogiri-1.7.2-1.el7cf.src.rpm	SHA-256: 89235c71bb3fd40e2eba23fd07f6c83827a7df1dd0c7031c14e70651ac9edaf9
rh-ruby23-rubygem-ovirt-engine-sdk4-4.1.5-1.el7cf.src.rpm	SHA-256: 2f30bbaf30970ee8baf0862f433cb375677b54c2593c857bb39a414267a55c01
x86_64
cfme-5.7.3.2-1.el7cf.x86_64.rpm	SHA-256: eb1299b5ef3f9e2dc3b47e68304956dae94dbf852df2c9536ce87f04a4b7af51
cfme-appliance-5.7.3.2-1.el7cf.x86_64.rpm	SHA-256: 2c40744170d3b2b28bf27584d898925f3869ead2a4683addd46685b1e1f21398
cfme-appliance-debuginfo-5.7.3.2-1.el7cf.x86_64.rpm	SHA-256: b99aa58fee2d0d60b16dabf988ec3e67a8229753d5ebd31cbf456dbbdb5067be
cfme-debuginfo-5.7.3.2-1.el7cf.x86_64.rpm	SHA-256: 12fdc9cfc36057fd586e4d8bf0c4dbe500087cc69cce6e8f47df7ba9d069c4f8
cfme-gemset-5.7.3.2-1.el7cf.x86_64.rpm	SHA-256: b19abb98504df6b5a5b3252a08b81ebd59275195fb7d9d92feffaf9861090a7e
rh-ruby23-rubygem-nokogiri-1.7.2-1.el7cf.x86_64.rpm	SHA-256: 7725b15b2d7af04760e2ecb96ded32b4816766a7ebea26a52b562f721e586fb0
rh-ruby23-rubygem-nokogiri-debuginfo-1.7.2-1.el7cf.x86_64.rpm	SHA-256: 6f2b19776321e3f31d7e529055de9ae7e7d0469c84025332cb4e32f8a8aea497
rh-ruby23-rubygem-nokogiri-doc-1.7.2-1.el7cf.x86_64.rpm	SHA-256: 230066185e7487130cdf22aaac1ff29ebe1fd23ba71890a0dbefc62baf9d7b26
rh-ruby23-rubygem-ovirt-engine-sdk4-4.1.5-1.el7cf.x86_64.rpm	SHA-256: 10cd300a0c53be0a068191aad897f57ba2c39a20cf633c740349c4c5fcf36d2e
rh-ruby23-rubygem-ovirt-engine-sdk4-debuginfo-4.1.5-1.el7cf.x86_64.rpm	SHA-256: f2c00213e3415a78f6e96d4893639a6d9a25290eff3a5d83f0062b54a132b862
rh-ruby23-rubygem-ovirt-engine-sdk4-doc-4.1.5-1.el7cf.noarch.rpm	SHA-256: f6e77ec9cc69beceda5479375425fe5a4573fc33832a22608548e2e4e5850111