RHSA-2017:3005 - Security Advisory

Topic

An update is now available for CloudForms Management Engine 5.8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

The following packages have been upgraded to a later upstream version: ansible-tower (3.1.5), cfme (5.8.2.3), cfme-appliance (5.8.2.3), cfme-gemset (5.8.2.3), rabbitmq-server (3.6.9), rh-ruby23-rubygem-nokogiri (1.8.1), supervisor (3.1.4). (BZ#1476286, BZ#1485484)

Security Fix(es):

• A flaw was found in Tower's interface with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as. (CVE-2017-12148)
• A vulnerability was found in the XML-RPC interface in supervisord. When processing malformed commands, an attacker can cause arbitrary shell commands to be executed on the server as the same user as supervisord. Exploitation requires the attacker to first be authenticated to the supervisord service. (CVE-2017-11610)

The CVE-2017-12148 issue was discovered by Ryan Petrello (Red Hat).

Additional Changes:

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat CloudForms 4.5 x86_64

Fixes

• BZ - 1439650 - Tenant and catalog information missing in Service Catalog Item Being Tagged
• BZ - 1459987 - Changes to timeout setting should not require evmserverd restart
• BZ - 1459996 - [RFE] Add support for virt v2v
• BZ - 1460754 - containers: containers analysis task results - user is system and owner is empty
• BZ - 1461061 - Add rate view option for counters in Ad-hoc Metrics
• BZ - 1465087 - Service template provisioning request do not honour quotas
• BZ - 1465089 - "Items" keyword in the dropdown list values of Default Items Per Page in my settings
• BZ - 1471709 - Default landing page is not showing "storage page" related options for custom made role
• BZ - 1476143 - CVE-2017-11610 supervisor: Command injection via malicious XML-RPC request
• BZ - 1477194 - AD with external auth, When doing group lookup for user group SID number is displayed instead of Group name
• BZ - 1477616 - Validation failed: Status is not included in the list
• BZ - 1477701 - Error caught: [NoMethodError] undefined method `[]' for nil:NilClass for REGULAR EXPRESSION MATCHES report
• BZ - 1477702 - UI: Unable to edit Compliance Policy Scope condition.
• BZ - 1478367 - 400 Bad Request Provision Error
• BZ - 1478372 - All start page entries must be updated to include the new navigation
• BZ - 1478379 - We do not check the base unit when creating the unit label
• BZ - 1478391 - Limit ansible playbook catalog item description
• BZ - 1478398 - Fields change in Advanced search in Automation -> Ansible Tower page
• BZ - 1478400 - Delete saved report button is not available on the configuration tab on report summary page
• BZ - 1478406 - Link to PV summary pdf broken
• BZ - 1478407 - [RFE] Create Backup for Cloud Volume should have force checkbox
• BZ - 1478409 - Error caught: [NoMethodError] undefined method `+' for nil:NilClass
• BZ - 1478415 - [Azure] User password limitations are not working correctly
• BZ - 1478418 - [RFE] Add support for VM "Restart Guest", for RHV provider
• BZ - 1478421 - Enabling Capacity & Utilization without filling C&U credentials generate repeated Errors in evm.log
• BZ - 1478428 - Default capture_threshold value for OpenShift object types is too low
• BZ - 1478429 - 'Ansible Tower' should not be mentioned in CloudForms notification when using Ansible Automation Inside
• BZ - 1478434 - prevent two miq servers from starting
• BZ - 1478435 - <Choose> found as option in drop down service dialogs
• BZ - 1478436 - Remote VNC/SPICE consoles lack logging when the remote endpoint is inaccessible
• BZ - 1478506 - inconsistent response when deleting nonexistent VM snapshot using API
• BZ - 1478508 - Not able to retire VM/instance via API unless "Set Retirement Date" feature is checked for role
• BZ - 1478510 - [POD] database.yml and GUID collected as link after log collection in podified appliance
• BZ - 1478513 - Configuration Manager name change not displayed
• BZ - 1478515 - Accessing the 'manager' association of a ManageIQ_Providers_EmbeddedAnsible_AutomationManager_Job service model gives a NoMethodError exception
• BZ - 1478523 - Productized border at top of page should be red not blue
• BZ - 1478526 - Unable to save trusted forest Settings
• BZ - 1478527 - CFME crashes in case of description field not found
• BZ - 1478529 - Tag|Ansible Job template| Page refreshes after try to navigate to template detail page from edit tag page
• BZ - 1478532 - In case system project not exsit, no filters load on Ad hoc metrics
• BZ - 1478535 - Boolean user input filter should be select bar to prevent exceptions
• BZ - 1478542 - SUI : Start/Stop operation on any service hides the top button menu bar
• BZ - 1478544 - After applying errata 5.7.3.2 some dialog field default values are missing in the self-service portal
• BZ - 1478554 - Not possible to refresh automate from GIT using API call
• BZ - 1478557 - Tag with Key 'Name' and a nil Value Breaks Refresh for AWS
• BZ - 1478558 - Container build pods are linked to build configurations from wrong namespaces
• BZ - 1478560 - RHV provider does not trust certificate authorities from the system CA database
• BZ - 1478562 - [VMWARE]Auto_placement provision into DVPortGroup fails on Virtual Center 6.5
• BZ - 1478563 - [RFE] Warning message on "admin" username during Azure provision
• BZ - 1478565 - Error generating reports after upgrading to 4.5
• BZ - 1478568 - Builds are connected to pods from different namespaces when builds have the same names
• BZ - 1478571 - Cloud volume operations are blocked by "Must filter on valid attributes for resource" error
• BZ - 1479367 - Provisioning to MS SCVMM Uses host.name instead of host.hostname
• BZ - 1479405 - [v2v] Drivers ISO filtering is broken
• BZ - 1479407 - Ansible inside Job times out even if the playbook is still running
• BZ - 1479409 - incorrect value used in stock automation wait_for_completion
• BZ - 1479414 - [v2v] Failures/Errors are not reflected at all in the Automate request messages
• BZ - 1479423 - Generic Service State Machine missing retry interval
• BZ - 1479437 - Azure inventory collection fails with missing instances for west-india region
• BZ - 1479453 - [v2v] operation always fail eventually, even in cases VM import was successful.
• BZ - 1479454 - [v2v] request timeout is very long (~2 days)
• BZ - 1479478 - VM Migrate State Machine does not correctly report migration errors.
• BZ - 1479481 - A deleted VM state do not change to Archived state
• BZ - 1479802 - Adding dialog for a new cloud volume doesn't show EBS storage manager
• BZ - 1479805 - Unable to provision against vmware with "multiple parents found" error
• BZ - 1479886 - After Applying ERRATA-RHSA-2017:1601 full refreshes are being trigged frequently
• BZ - 1479917 - Tag | Groups: Datastores is missing in "Host & Clusters" tree
• BZ - 1479920 - Hawkular verification - error message contains HTML tags
• BZ - 1479922 - The notification events are out of order
• BZ - 1479923 - [Embedded Ansible] - Unexpected error when clicking on Download summary icon
• BZ - 1479924 - Embedded Ansible worker has no icon in Diagnostics
• BZ - 1479925 - Button Group details page fields do not mention Group
• BZ - 1479926 - Button edit dialog title is incorrect
• BZ - 1479927 - Unable to perform power control operations on stack instance when navigated through stack summary page
• BZ - 1479929 - VM: Error when clicking on archived or orphaned VMware VM in VM explorer
• BZ - 1479931 - UX: Provisioning an ec2 instance image selection page has Type: "Image" splitted in two lines
• BZ - 1479935 - HTML5 Console: Toggle Full Screen Button Does not Work in Firefox
• BZ - 1479937 - Configuration Management Provider's Verify Peer Certificate setting doesn't get saved
• BZ - 1479938 - zones of sub region show up as zones appliances of a central region can move to
• BZ - 1479941 - Search field disappears when user clicks view selector after user input dialog on Compute->Infrastructure->All VMs page
• BZ - 1479943 - Adding an Automate Task schedule adds UTC to the last Attribute/Value pair
• BZ - 1479944 - User unable to tick the check boxes of the folder while assigning the Alert profile
• BZ - 1479959 - Unable to provision HyperV networking properly
• BZ - 1479972 - TypeError while refreshing a scvmm provider
• BZ - 1479976 - Refresh failed for VMware Provider in Cloudforms 4.5
• BZ - 1479978 - OpenStack cloud provider refresh error: Flavor <flavor id> could not be found
• BZ - 1479991 - Typo on Infra provider dashboard page
• BZ - 1479993 - Inconsistency between flash message when creating vs. deleting
• BZ - 1479994 - UI: "Unexpected error encountered" when Downloading report in text,csv and pdf format
• BZ - 1480000 - exception on attempt to open report with timelines "Operations VM Power On/Off Events for Last Week"
• BZ - 1480001 - [Embedded Ansible] URL is not validated while adding new Ansible Repository
• BZ - 1480002 - Broken navigation tree in the datastore details screen
• BZ - 1480007 - Provisions via Users in multiple groups in tenants in SSUI result in VMs being provisioned to wrong group/tenant
• BZ - 1480008 - Datasources Download .txt truncates host-name
• BZ - 1480286 - State Machine Changes when User Switches Groups During Provision in Admin UI
• BZ - 1480377 - [RHEVM]: VM snapshot: delete option is enabled, for Active VM
• BZ - 1480586 - [v2v] rephrase "Drivers ISO" label in the v2v dialog
• BZ - 1480588 - [v2v] Move the 'Transform this VM to RHV' option from 'Configuration' to 'Lifecycle'
• BZ - 1480589 - Reports type dashboard widgets cannot be minimized
• BZ - 1480654 - Duplicated users when changed the (upper,lower)case of letters of login name
• BZ - 1480734 - vm_retire_extend references vm.retirement which does not exist anymore, causing crash
• BZ - 1481296 - CloudForms REST API searching for reports by names that contain '>' fails with a '400 - Bad Request'
• BZ - 1481436 - In Utilisation graph for Pods and Containers the Rounding of metrics is inconsistant
• BZ - 1481437 - [UI] - Unexpected error encountered when switching to 'Cloud Intel' main tab
• BZ - 1481439 - Duplicate flash message in Optimize/Bottlenecks
• BZ - 1481442 - duplicate status messages when saving automate methods
• BZ - 1481445 - Ansible Automation: missing group id in manageiq payload
• BZ - 1481449 - Instance Type on Provision Instances remains empty after adding flavor which has disk size of 0
• BZ - 1481450 - Unable to provision against vmware due to "unknown method xsiType"
• BZ - 1481845 - Delete a Template in RHEV that a Catalog uses, no indication in logs or UI when Catalog Ordered
• BZ - 1481846 - appliance_console_cli doesn't handle ipa registration if the password has a '$' in it
• BZ - 1481849 - "Page does not exist" when clicked on Service Catalog item breadcrumb link from stack page
• BZ - 1481851 - Internal Server Error when creating schedule for automate task
• BZ - 1481853 - Drop down history toolbar button on Import/Export report page is not needed, should be removed.
• BZ - 1482131 - Title displayed in add button page is wrong
• BZ - 1482136 - CFME OpenStack provider missing options to set VLAN or Segmentation ID
• BZ - 1482148 - Missing Icon of power state - migrating
• BZ - 1482170 - unable to provision against openstack with a volume attached
• BZ - 1482666 - Cannot edit Ansible Repository
• BZ - 1482667 - sat6 save button broken after changing rhsm details to sat6 setup
• BZ - 1482668 - prov.set_host fails on 4.5.1 (5.8.1.5.20170725160636_e433fc0)
• BZ - 1482669 - setting hostname through appliance console throws error on ipv6 only env
• BZ - 1482670 - Workers processing a miq_queue message that exceed the memory threshold aren't given enough time to exit gracefully
• BZ - 1484373 - Reports are not generated by API call
• BZ - 1484374 - Failure to collect metrics of Window instances on Azure
• BZ - 1484385 - Setting VM ownership on more than 100 VMs at a time causing server error status 400 bad request
• BZ - 1484424 - [Embedded Ansible] Failed Repository does not show up in All Repositories Table on /ansible_repository/show_list
• BZ - 1484539 - Custom button not passing target object to dynamic dialog fields
• BZ - 1484548 - [RFE] Add config option to skip container_images
• BZ - 1484608 - SUI : The VM status shows "retired" for all VM's ,retired or not.
• BZ - 1484613 - RHEVM Target Refresh Completes Even Though Storage Domain Error is Thrown
• BZ - 1484895 - Reports - pods per ready status - nonexistent pods presented
• BZ - 1484901 - [RFE] Include EvmRole-reader as read-only role in the fixtures
• BZ - 1484904 - Tower version 2 may fail refresh
• BZ - 1484956 - [v2v] 'Drivers ISO' field is not removed when 'install drivers' is unchecked.
• BZ - 1484984 - [RFE] The azure image as built cannot be used in azure.
• BZ - 1485474 - CVE-2017-12148 Ansible Tower modification of git hooks in SCM repo via upstream playbook execution
• BZ - 1486351 - Service order request for VM provision from template fail on SSL Certificate verification
• BZ - 1486474 - Locale dropdown menu does not have Portuguese
• BZ - 1487283 - Refresh fails: undefined method `[]' for nil:NilClass in `parse_image_name'
• BZ - 1487320 - Unable to access filter tab while Editing chargeback for projects report
• BZ - 1487689 - duplicate users get created from ldap logins
• BZ - 1488967 - Need to verify that SSA works with Azure Managed Storage
• BZ - 1489974 - Unable to login to Amazon account.
• BZ - 1491310 - Smart state analysis on a running vm on Azure doesn't work
• BZ - 1492840 - [UI][Services] - Not all catalog items shown in Service catalogs accordion tree
• BZ - 1493207 - Add miq_provision_quota_mixin to Service Template Provision Request service model.
• BZ - 1494561 - Save only used OpenShift images with labels/tags
• BZ - 1496912 - Proxy configuration does not work in restricted IPV6 only environment
• BZ - 1496946 - setting a dynamic dialog to "required = True" is not saved
• BZ - 1497746 - Editing Name of a Category via API breaks Chargeback Assignments
• BZ - 1497817 - Appliance doesn't start after upgrading from 5.7.4.0 to 5.8.2.0
• BZ - 1497835 - Tag/Networks: Cloud Network list is available for restricted user, if Network manager was tagged
• BZ - 1498230 - [Regression] appliance_console not enabling all required SCAP rules.
• BZ - 1498556 - Azure Smart State on Image results error "Unable to mount filesystem. Reason:[undefined method `split' for nil:NilClass" in evm.log
• BZ - 1499868 - DB/LDAP User is not able to log into SSUI
• BZ - 1500049 - Cannot add Azure provider to CloudForms 4.2
• BZ - 1500051 - Azure refreshes fail with [NameError]: wrong constant name $default
• BZ - 1500053 - Cloudforms AWS image with Azure provider fails to discover entire environment
• BZ - 1502738 - Dynamic refresh ignored on Service Dialog elements if clicking submit without clicking out of refresh trigger element first

CVEs

• CVE-2017-11610
• CVE-2017-12148

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html/release_notes/index#red_hat_cloudforms_4_5_2