RHSA-2017:1758 - Security Advisory

Topic

An update is now available for CloudForms Management Engine 5.8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

The following packages have been upgraded to a later upstream version:
ansible (2.3.0.0), ansible-tower (3.1.3), cfme (5.8.1.5), cfme-appliance
(5.8.1.5), cfme-gemset (5.8.1.5), rh-ruby23-rubygem-nokogiri (1.7.2).
(BZ#1456017, BZ#1459318)

Security Fix(es):

• CloudForms lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails applications portion of CloudForms to escalate privileges. (CVE-2017-2664)
• It was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs). (CVE-2017-7530)
• The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant. (CVE-2017-7497)
• A flaw was found in the CloudForms API. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access. (CVE-2016-7047)

The CVE-2017-2664 issue was discovered by Libor Pichler (Red Hat) and Martin Povolny (Red Hat); the CVE-2017-7530 issue was discovered by Tim Wade (Red Hat); the CVE-2017-7497 issue was discovered by Gellert Kis (Red Hat); and the CVE-2016-7047 issue was discovered by Simon Lukasik (Red Hat).

Additional Changes:

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat CloudForms 4.5 x86_64

Fixes

• BZ - 1374215 - CVE-2016-7047 cfme: API leaks any MiqReportResult
• BZ - 1435393 - CVE-2017-2664 CloudForms: lack of RBAC on various methods in web UI
• BZ - 1438562 - [RFE] External Auth - AD - samba-common-tools and deps missing from appliance.
• BZ - 1439309 - Not able to see orders when not enough permission to see catalogs
• BZ - 1441321 - Access (Cockpit and HTML5) are inconsistent between Service and OPS UI
• BZ - 1444505 - "Collect" button is absent on slave server log collection page
• BZ - 1449273 - VM Hostname not displaying when RHV has FQDN
• BZ - 1450082 - Failed to remove interface from router - HA env.
• BZ - 1450087 - Cloud Router Summary does not show subnets which connected it - HA env.
• BZ - 1450150 - CFME: Dialog for creating cloud volumes does not filter cloud tenants CVE-2017-7497
• BZ - 1450502 - [RFE] Custom Button must be supported at VM level in Service UI
• BZ - 1450518 - Openstack services missing on node page
• BZ - 1454445 - Containers with empty "imageID" field points to wrong images
• BZ - 1455685 - Azure provision still needs First/Last name
• BZ - 1456017 - [RFE] Install latest stable version of Ansible Core on the appliance.
• BZ - 1458333 - Containers - old archived container entities are not purged
• BZ - 1458337 - In my settings page at login Configuration management shouldn't be in Infrastructure
• BZ - 1458339 - It is impossible to identify the source process/appliance for each connection in pg_stat_activity
• BZ - 1458341 - reports do not distinguish between same name custom attributes with different sections
• BZ - 1458356 - [Ansible Embedded] - User not informed about Embedded Ansible role enablement
• BZ - 1458360 - Entering Ansible Repository Incorrectly does not provide feedback that creation fails
• BZ - 1458363 - [VMWARE]Auto_placement provision fails if best_fit host doesn't have selected VM Network
• BZ - 1458365 - Can not get kernel version from reports
• BZ - 1458374 - [Azure] - No floating IPs displayed for LBs in Network topology
• BZ - 1458377 - Various network object CRUD forms require better filtering
• BZ - 1458434 - Use $log.log_hashes to filter out sensitive data in Ansible Playbook service.
• BZ - 1458445 - Extra parameter in call to Job#set_status from `VmScan#call_snapshot_delete'
• BZ - 1458447 - GCE Boot Disk Size options should be sorted by actual size
• BZ - 1458448 - Remove specific EVM server from zone
• BZ - 1458454 - [RFE] Add legend to Graph in OpenShift Ad Hoc Metrics
• BZ - 1458892 - The credentials for Automate Git Repository wasn't updating the correct authentications type
• BZ - 1458896 - infinispinner on attempt to open Alarm/Status Change management events on Timelines page
• BZ - 1458899 - Deleting object store object redirects me to object store containers list
• BZ - 1458900 - Export button is enabled on Custom Reports page
• BZ - 1458919 - Action button for verifying replication subscriptions on the far right is to small
• BZ - 1458921 - Chargeback Report VM identification (UUID)
• BZ - 1458924 - Web console for AWS is trying to connect on private ip instead public one
• BZ - 1458925 - WEB Console defaults to the first IP Address when connecting to Cockpit with RHV VMs
• BZ - 1458926 - UI blows up while downloading Switch Summary as PDF
• BZ - 1458927 - Tag Group UI | "Save" button gets inactive after switching between tabs(Host&Cluster, My Company Tag)
• BZ - 1458930 - Topology View for HyperV is missing all relationships
• BZ - 1458934 - Container Explorer Page is not scalable
• BZ - 1458935 - Smart Management | Tag info is not appear on container detail page after edit
• BZ - 1458943 - [SDN] - no Instance details in Floating IPs table for LB IPs
• BZ - 1458945 - Middleware Manager Deployments Download .pdf contains duplicate .war entries
• BZ - 1458946 - customers unable to access CFME thru UI due to chronic unpredictable termination of httpd service
• BZ - 1458947 - get-inventory.ps is returning SCVMM internal temporary templates in addition to actual templates
• BZ - 1458951 - Host targeted refresh fails when using sdk (v4)
• BZ - 1459217 - [RFE] Azure managed images not discovered
• BZ - 1459225 - Check for blank password in database configuration to avoid postgres errors
• BZ - 1459227 - Benchmark timings are incorrect for all workers in evm.log
• BZ - 1459235 - SSA Fails in Windows workloads but not in Linux ones on OSP9
• BZ - 1459243 - Message 'Cannot edit VM. Physical Memory Guaranteed cannot exceed Memory Size' is logged as INFO in automation.log
• BZ - 1459247 - MIQ LDAP - Certain users with special attributes can't log in to services UI.
• BZ - 1459257 - Auth - MIQLDAP - FreeIPA - Can't switch groups in SSUI
• BZ - 1459258 - AWS S3 deleting object store object(folder) that has another objects in it does nothing
• BZ - 1459261 - vmreconfigure allows circumvention of quota and approval mechanisms
• BZ - 1459262 - When adding Disk with reconfiguration on vmware, after 16th Disk, a new controller is created hardcoded to Parallel Type
• BZ - 1459264 - [UI][RHV][VM Reconfigure] Disks section - "Delete Backing" Yes|No button stuck in the middle.
• BZ - 1459297 - Display notification message when search on Provider Topology page returns no records
• BZ - 1459306 - Retirement - log the zone when raising a retirement event.
• BZ - 1459318 - Azure refresh results in timeout errors
• BZ - 1459562 - Incorrect storage used in Chargeback reports
• BZ - 1459902 - Show tag info for playbook services
• BZ - 1459903 - No flash message after editing provider settings
• BZ - 1459923 - Error indicator does not display on the OpenStack New Infrastructure Provider form for the Default tab
• BZ - 1459928 - Raw methods exposed for Cloud Tenant instead of non-raw
• BZ - 1459929 - Unable to collect inventory for 40,000 container images, results in kubeclient timeout
• BZ - 1459940 - I can't change only volume name when editing gp2 type block storage volume(EBS)
• BZ - 1459944 - Tag Information Not Displayed on Catalog Items
• BZ - 1459959 - Calendar control on Cluster Utilization page gets clipped
• BZ - 1459962 - Ansible Playbook Service: Cannot update new dialog name and other UI issues
• BZ - 1459977 - Existing or Newly created service added to parent service via REST API or from automation is not visible in UI
• BZ - 1459986 - Error message displayed when adding playbook service catalog item to global region
• BZ - 1459989 - Service dialog is created without extra_vars
• BZ - 1459990 - Ansible playbook : Error when creating new dialog with existing dialog's name
• BZ - 1459992 - Resetting planning results in flash msg twice
• BZ - 1460000 - backup service fails due to: incremental=>true
• BZ - 1460002 - Unable to change rhevm credentials after upgrade from 5.6 to 5.8
• BZ - 1460004 - Parent tenant displayed in list view when allowed by RBAC
• BZ - 1460023 - containers: information under "Labels" is shown in reverse alphabetical order (z-a)
• BZ - 1460024 - Create a snapshot of this volume action is missing in Block storage volume list configuration menu
• BZ - 1460027 - Expose container projects and template parms in service model
• BZ - 1460031 - When provisioning VM, multiple emails with same content are sent
• BZ - 1460032 - Forbidden Error when creating a cloud network
• BZ - 1460033 - Pop-up with usercase occur if press "Edit" button after log collection via dropbox
• BZ - 1460034 - Failed to create subnet
• BZ - 1460036 - [VMWare][Topology] - wrong title of Clusters and Tags not displayed
• BZ - 1460265 - Tag Group UI | Cannot select single host, checkboxes are missing
• BZ - 1460293 - Custom Button: None credential is always used during Ansible Playbook Service provisioning
• BZ - 1460294 - Bulk assign_tags does not populate href properly
• BZ - 1460304 - Ansible Repository SCM Credential cannot be cleared after being set
• BZ - 1460307 - [RFE] Allow for deletion of group when users belong to another group
• BZ - 1460308 - Allow identify replicated interfaces on HA environments
• BZ - 1460309 - undefined method `status_ok?' for #<MiqTask:0x0000001a97daf0> causing post_scaledown_task to fail
• BZ - 1460310 - ContainerImage :registered_on field is wrong
• BZ - 1460316 - Custom button failing to execute
• BZ - 1460318 - Cloudforms causes a Token Storm on OSP10 overcloud
• BZ - 1460334 - RHV Host refresh fail on undefined method `detect' for nil:NilClass
• BZ - 1460339 - SmartState required automate server roles enabled on the worker has SmartProxy role enabled
• BZ - 1460348 - manageiq.api_token failing in playbook when using a multi-appliance deployment
• BZ - 1460349 - After killing reporting worker, report status still says Running
• BZ - 1460356 - Ansible Service Catalog Template Job not honoring provider zone
• BZ - 1460357 - Node Utilisation in Dashboard show more Nodes than avaible
• BZ - 1460359 - Remove policy checking for request_host_vmotion_enabled event
• BZ - 1460366 - Cannot suspend server role in CFME Region menu
• BZ - 1460372 - webadmin: template info is not shown correctly in several fields of Objects table
• BZ - 1460375 - Refreshing the ansible tower provider page does not load the View buttons
• BZ - 1460380 - Schedule Time value is reset during editing provisioning request
• BZ - 1460382 - Default number of topology items shouldn't be Unlimited
• BZ - 1460383 - HTML5 Console Title Reads as "ManageIQ HTML5 Remote Console"
• BZ - 1460384 - Search and advanced search is missing in Object Store Objects
• BZ - 1460385 - Unable to download aws volumes snapshot summary in PDF format
• BZ - 1460386 - When importing custom variables always "Choose the type of custom variables to be imported" appears
• BZ - 1460387 - Incorrect padding in Actions and Conditions selection screens
• BZ - 1460394 - Saved Reports getting deleted when deletes all finished reporting task from All Other Tasks page
• BZ - 1460396 - Failed while launching imported report based on Chargeback for Projects via REST API.
• BZ - 1460397 - Archived container entities are not destroyed when the provider is deleted
• BZ - 1460736 - ISO domain images are not displayed
• BZ - 1460755 - SSUI shows Manage IQ productization
• BZ - 1460761 - report vm and instances field 'Provision.Request : Approved By' does not apply any styling
• BZ - 1460776 - [RHOS] Cancelling 'Provision instance' action throws exception
• BZ - 1460777 - Some inconsistencies in Hosts listnav and Hosts Summary screen
• BZ - 1460781 - Tenants : Reset button not working in Tag Assignment page
• BZ - 1460791 - Unable to edit ansible repository by "Enter" pressing
• BZ - 1460792 - Filters not working properly in config mgmt configured systems
• BZ - 1460802 - Missing "data-id" attribute in Bootstrap select elements
• BZ - 1460803 - Embedded Ansible role does not migrate cleanly to another appliance
• BZ - 1460805 - failure of "Embedded Ansible " fails to install prevents that from ever installing
• BZ - 1460807 - Access Web Console Cockpit not compatible with Windows VMs
• BZ - 1460808 - service dialog saving elements when switching elements - cancel only reverts current element
• BZ - 1460809 - [RFE] - Add 'Verbosity' drop down on both Provisioning & Retirement tabs for Playbook Catalog Items
• BZ - 1461070 - The IP version (network protocol) is not displayed when editing cloud subnets
• BZ - 1461103 - Missing unit on VMDB Utilization page
• BZ - 1461142 - Impossible to graph multiple data-series in Ad-hoc Metrics if they are on different pages
• BZ - 1461143 - Service Retirement not working properly for Orchestration Stacks due to missing zone.
• BZ - 1461144 - Use of the new create_service_provision_request method is inconsistent with other create_*_request methods
• BZ - 1461161 - Log Collection fails via IPv6
• BZ - 1461165 - Cancel button remains disabled in Add interface to router page
• BZ - 1461169 - Valid SCVMM file share not showing up as datastore on host.
• BZ - 1461183 - Service catalog service dialog refresh function in cf 4.2 behaves differently from cf 4.0
• BZ - 1461456 - Export button for Custom Reports doesn't work
• BZ - 1461460 - [ALL LANG] Compute-Clouds-Tenants has missing translations for menu and table entries
• BZ - 1461467 - default report with timelines "Operations VMs Powered On/Off for Last Week" doesn't include instance events
• BZ - 1461475 - 'Restart Guest' is available on Vm without VMTools from 'On' state
• BZ - 1461485 - Editing Infrastructure Providers and Hosts from a list returns to details screen instead of back to list
• BZ - 1461513 - CloudForms 4.1 Child tenants are allowed to view other child tenants Service Requests
• BZ - 1461522 - Validation error: ems/core not defined while ContainerGroups in the "Pending" state
• BZ - 1461535 - Maintenance mode flag not being set on SCVMM hosts.
• BZ - 1461541 - Reports - Number of Nodes per CPU cores - Wrong Name of report
• BZ - 1461558 - OpenShift smartstate errors -unknown access error to pod management-infra/manageiq-img-scan-7f243: #<Net::HTTPBadRequest:0x00000010422df8>
• BZ - 1461559 - Wrong RHV provider refresh error, when provider is down.
• BZ - 1461593 - subselection in access control role, not bubble up in tree display
• BZ - 1461596 - CloudForms Topology View shows Archived VMs
• BZ - 1461857 - provisioning from pxe fails when using ovirt sdk v4
• BZ - 1461860 - Add RHV provider using a bad hostname do not fail the validation in UI.
• BZ - 1461868 - [SDN][Tags] - Redirection to Network provider summary page page after tag is saved
• BZ - 1461869 - Tag Visibility | Cloud Stack: Tag is not added if stack list opened from provider detail page
• BZ - 1461956 - Reports - Number of Nodes per CPU cores - "Name" header
• BZ - 1461958 - it takes 10-20 sec to add column to new report when report is based on big fields set like Virtual Machines
• BZ - 1461988 - checkboxes on Control Policies->Event Assignments page aren't grouped/organized
• BZ - 1462287 - No spinner when waiting for Cloud Key Pair to save
• BZ - 1462309 - service now integrations for determining host_name return empty array
• BZ - 1462358 - Hourly metrics_## tables grow filling up the VMDB filesystem when real-time purges fail
• BZ - 1462361 - Openstack infra provider dashboard should not appear for an openstack infra provider
• BZ - 1462774 - VM provision via restapi fail, if the chosen data store name exist more than once in CFME.
• BZ - 1462779 - [Ansible Embedded] - Remove ssh keys fields from SCM credentials form
• BZ - 1462801 - Openshift refresh crashes due to template.objects being nil
• BZ - 1462844 - "" As a hawkular endpoint port passes validation, but prevents provider edit.
• BZ - 1462957 - [Microsoft]Reset option available from Details
• BZ - 1463275 - Add support for v4 of the RHV api in event monitoring
• BZ - 1463321 - Inconsistencies in Access Control for Automation - Ansible feature
• BZ - 1463381 - Replace nodejs010 with node from SCL in appliances
• BZ - 1463668 - Missing Memory graphs on Azure Availability zone Utilization page for daily interval
• BZ - 1463848 - static ipv6 primary DNS default fails
• BZ - 1464118 - VMRC does NOT work if CFME is accessed with IPv6 Address
• BZ - 1464151 - UI: Showing wrong flash message when "Check Compliance of Last Known Configuration"
• BZ - 1464153 - Floating IP: Cannot associate or disassociate a port
• BZ - 1464203 - Disk space issues when running upgrade from 5.7 to 5.8
• BZ - 1465448 - CVE-2017-7530 cfme: Execution of arbitrary methods through filter param
• BZ - 1466049 - SSUI : No Scroll bar to scroll to the bottom in service catalog page , Unable to provision service catalogs at the bottom
• BZ - 1466855 - Embedded ansible role fails to re-initialize after webui update
• BZ - 1468272 - Edit tag page doesn't work for filtered items
• BZ - 1468275 - [RFE] Trigger a refresh when adding/editing/deleting anything in CFME Block Storage(EBS)
• BZ - 1468281 - websocket connection leaks causing failed connections
• BZ - 1468285 - [CFME4.5]Configuring Multi-Region, Single LDAP Authentication, Synchronized RBAC/Resource.
• BZ - 1468292 - Navigation accordion on Cloud->Instances page fails
• BZ - 1468294 - SSUI : "Error loading Services" when clicked on "My Services"
• BZ - 1468295 - Non-admin users unable to see Catalog Items in SUI
• BZ - 1468296 - Display a warning for large number of objects in the Topology pages
• BZ - 1468336 - Unable to view Reports if a member has a custom Role - indefinite spinning wheel
• BZ - 1468337 - UI: infinispinner appears In the Report accordion
• BZ - 1468370 - Drop Down List Dialog does not keep default value for Integer type
• BZ - 1468376 - upgrade to CF 4.5 complains about "could not find nokogiri-1.6.8" during "rake db:migrate"
• BZ - 1468380 - Setting Start Page to Container/Explorer sets to URL to an invalid URL
• BZ - 1468700 - Azure refresh fails with private_ip_address property not found
• BZ - 1468703 - Azure refresh fails if provider has no orchestration stacks
• BZ - 1468729 - [Regression] Saved reports unavailable under Reports accordion
• BZ - 1469308 - Unable to select the Azure region UK South
• BZ - 1469560 - Collect container metrics is done until time.now instead of until end-time
• BZ - 1469653 - Some container resources not cleaned up after removal from Openshift - research
• BZ - 1469702 - performance issue in openstack collection
• BZ - 1470179 - the buttons of the html5 console do not work with windows vms
• BZ - 1470773 - [RFE] Buttons assigned to VMs should be available in Self Service UI
• BZ - 1470774 - in the self service portal after a little time displaying a vm, data changes to garbage data
• BZ - 1470800 - OSP: when validating an account with access to many projects, it checks each, and times out
• BZ - 1470812 - Validation Credentials fails for OSP 10 Provider with AD "domain" user
• BZ - 1470847 - Unexpected error encountered while switching maintabs to configuration manager provider
• BZ - 1471821 - Ansible tower job templates filters are not displayed
• BZ - 1472837 - [Regression] Error while generating Chargeback reports
• BZ - 1472841 - Setting static ipv6 address clears ipv4 address in appliance console.
• BZ - 1472842 - After setting ipv6 to dhcp its not possible to set it back to static
• BZ - 1473336 - Service Requests are not seen by user in Global Region
• BZ - 1473424 - Firewall rules prevent appliance from getting a dynamic IPv6 address
• BZ - 1473787 - Ansible workers not starting
• BZ - 1474504 - Unable to navigate through the service requests due to a template error on "split"

CVEs

• CVE-2016-7047
• CVE-2017-2664
• CVE-2017-7497
• CVE-2017-7530

References

• https://access.redhat.com/security/updates/classification/#important