Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2017:3484 - Security Advisory
Issued:
2017-12-18
Updated:
2017-12-18

RHSA-2017:3484 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: Red Hat CloudForms security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for cfme, cfme-appliance, and cfme-gemset is now available for CloudForms Management Engine 5.7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

CloudForms Management Engine Appliance.

CloudForms Management Engine Gemset.

Security Fix(es):

  • CloudForms lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails applications portion of CloudForms to escalate privileges. (CVE-2017-2664)

This issue was discovered by Libor Pichler (Red Hat) and Martin Povolny (Red Hat).

Additional Changes:

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat CloudForms 4.2 x86_64

Fixes

  • BZ - 1344690 - ActionController::RoutingError in automation simulation tree
  • BZ - 1401560 - Missing buttons Graph view, Hybrid view, Table view and missing option Show full screen report
  • BZ - 1424267 - selection doesn't move along with added/copied Condition in Control->Explorer->Policies treeview
  • BZ - 1429962 - UI: VM "Edit Management Engine Relationship", 'Save' problem mal functionning
  • BZ - 1435393 - CVE-2017-2664 CloudForms: lack of RBAC on various methods in web UI
  • BZ - 1440105 - UI: Tasks are using an old icons for Task State.
  • BZ - 1449404 - IE 11 on windows 7: On topology page entity icons are not displaying properly
  • BZ - 1451831 - [Ansible Tower] - Ansible Tower Jobs - relationships table - undefined method when clicking on Service
  • BZ - 1457979 - After killing reporting worker, report status still says Running
  • BZ - 1458287 - Incorrect padding in Actions and Conditions selection screens
  • BZ - 1460149 - [Ansible Tower] - Unexpected error when clicking on successful job
  • BZ - 1460656 - WebUI:Tag Visibility - Ansible Tower Job Templates should honor tag visiblity
  • BZ - 1460696 - HTML in node names of Control/Simulation tree
  • BZ - 1460938 - Unexpected error encountered while clicking on "Download PDF" button on Switch page
  • BZ - 1462104 - [Amazon EC2] - ManageIQ string in PDF filename of Network provider and in PDF title
  • BZ - 1462146 - Access Web Console Cockpit not compatible with Windows VMs
  • BZ - 1463265 - Missing id attribute on Cloud->Instance Edit form, Child VM MultiBoxSelect
  • BZ - 1465077 - CFME collects C&U metrics even before resource creation
  • BZ - 1465079 - report vm and instances field 'Provision.Request : Approved By' does not apply any styling
  • BZ - 1465080 - The IP version (network protocol) is not displayed when editing cloud subnets
  • BZ - 1465081 - Formatting of Provider summary PDF file generated from provider summary page is very broken
  • BZ - 1465082 - [SDN][Tags] - Redirection to Network provider summary page page after tag is saved
  • BZ - 1465083 - Tag Visibility | Cloud Stack: Tag is not added if stack list opened from provider detail page
  • BZ - 1465084 - service now integrations for determining host_name return empty array
  • BZ - 1465086 - Hourly metrics_## tables grow filling up the VMDB filesystem when real-time purges fail
  • BZ - 1465088 - Service template provisioning request do not honour quotas
  • BZ - 1465090 - "Items" keyword in the dropdown list values of Default Items Per Page in my settings
  • BZ - 1465091 - [RFE] External Auth - AD - samba-common-tools and deps missing from appliance.
  • BZ - 1465093 - The 'Assigned Filters' setting in the Settings->Access Control->Groups->[group name] only applies to 'Hosts & Clusters', and not the Network providers.
  • BZ - 1465415 - Service Retirement not working properly for Orchestration Stacks due to missing zone.
  • BZ - 1468593 - Check for blank password in database configuration to avoid postgres errors
  • BZ - 1468606 - Azure refresh fails if provider has no orchestration stacks
  • BZ - 1468612 - prevent two miq servers from starting
  • BZ - 1468613 - Remote VNC/SPICE consoles lack logging when the remote endpoint is inaccessible
  • BZ - 1468614 - Not able to retire VM/instance via API unless "Set Retirement Date" feature is checked for role
  • BZ - 1468633 - websocket connection leaks causing failed connections
  • BZ - 1469297 - Unable to select the Azure region UK South
  • BZ - 1469703 - performance issue in openstack collection
  • BZ - 1471201 - Replace nodejs010 with node from SCL in appliances
  • BZ - 1471202 - Unable to save trusted forest Settings
  • BZ - 1471204 - Not possible to refresh automate from GIT using API call
  • BZ - 1471315 - Tag with Key 'Name' and a nil Value Breaks Refresh for AWS
  • BZ - 1472364 - Productized border at top of page should be red not blue
  • BZ - 1472381 - Ansible tower job templates filters are not displayed
  • BZ - 1472383 - Deleted labels still show up in CFME after provider refresh
  • BZ - 1472384 - Some container resources not cleaned up after removal from Openshift - research
  • BZ - 1472806 - <Choose> found as option in drop down service dialogs
  • BZ - 1473271 - Raise MiqProvisionError if instance is in error state
  • BZ - 1475020 - Drop Down List Dialog does not keep default value for Integer type
  • BZ - 1475031 - After applying errata 5.7.3.2 some dialog field default values are missing in the self-service portal
  • BZ - 1476270 - Validation Credentials fails for OSP 10 Provider with AD "domain" user
  • BZ - 1476279 - OpenStack cloud provider refresh error: Flavor <flavor id> could not be found
  • BZ - 1476284 - After Applying ERRATA-RHSA-2017:1601 full refreshes are being trigged frequently
  • BZ - 1476296 - Unable to perform power control operations on stack instance when navigated through stack summary page
  • BZ - 1476395 - OSP: when validating an account with access to many projects, it checks each, and times out
  • BZ - 1477195 - AD with external auth, When doing group lookup for user group SID number is displayed instead of Group name
  • BZ - 1477617 - Validation failed: Status is not included in the list
  • BZ - 1477722 - Unable to provision against vmware with "multiple parents found" error
  • BZ - 1477723 - zones of sub region show up as zones appliances of a central region can move to
  • BZ - 1477725 - Search field disappears when user clicks view selector after user input dialog on Compute->Infrastructure->All VMs page
  • BZ - 1477727 - Refresh failed for VMware Provider in Cloudforms 4.5
  • BZ - 1478368 - User unable to tick the check boxes of the folder while assigning the Alert profile
  • BZ - 1479377 - Provisioning to MS SCVMM Uses host.name instead of host.hostname
  • BZ - 1479410 - incorrect value used in stock automation wait_for_completion
  • BZ - 1480630 - prefetch_below_threshold? failure after AWS upgrade
  • BZ - 1481743 - UI: "Unexpected error encountered" when Downloading report in text,csv and pdf format
  • BZ - 1481859 - Provisions via Users in multiple groups in tenants in SSUI result in VMs being provisioned to wrong group/tenant
  • BZ - 1481862 - Azure inventory collection fails with missing instances for west-india region
  • BZ - 1481864 - Datasources Download .txt truncates host-name
  • BZ - 1481865 - Unable to provision HyperV networking properly
  • BZ - 1481867 - Unable to provision against vmware due to "unknown method xsiType"
  • BZ - 1481870 - Quota not using cloud volumes in requested resource calculation.
  • BZ - 1482151 - Missing Icon of power state - migrating
  • BZ - 1482672 - Workers processing a miq_queue message that exceed the memory threshold aren't given enough time to exit gracefully
  • BZ - 1484387 - Setting VM ownership on more than 100 VMs at a time causing server error status 400 bad request
  • BZ - 1484541 - Custom button not passing target object to dynamic dialog fields
  • BZ - 1484549 - [RFE] Add config option to skip container_images
  • BZ - 1487280 - Refresh fails: undefined method `[]' for nil:NilClass in `parse_image_name'
  • BZ - 1487289 - [RFE] Include EvmRole-reader as read-only role in the fixtures
  • BZ - 1487297 - [RFE] The azure image as built cannot be used in azure.
  • BZ - 1487307 - Unable to perform any actions on cloud objects from list view when navigated to cloud tenants
  • BZ - 1487321 - Unable to access filter tab while Editing chargeback for projects report
  • BZ - 1487323 - Save only used OpenShift images with labels/tags
  • BZ - 1487686 - Drop down history toolbar button on Import/Export report page is not needed, should be removed.
  • BZ - 1487694 - UI elements not loading and reporting widgets not showing data points
  • BZ - 1490434 - Clicking x button in search box doesn't remove the search
  • BZ - 1491576 - [Regression] Unable to assign actions to a policy
  • BZ - 1492158 - Quota management doesn't work according the expected
  • BZ - 1492867 - Dashboard shows 2 for "retiring soon" services but clicking on that link shows None
  • BZ - 1493700 - HTML5 VNC Remote Console: Remove VNC proxy from the UI
  • BZ - 1494189 - vc refreshes are preventing full refreshes
  • BZ - 1495971 - setting a dynamic dialog to "required = True" is not saved
  • BZ - 1496597 - Setting memory_reserve lower than vm_memory failed
  • BZ - 1497522 - Deleted VM is moved to status Orphan, though it should move to Archived.
  • BZ - 1497748 - Editing Name of a Category via API breaks Chargeback Assignments
  • BZ - 1498095 - Tag/Networks: Cloud Network list is available for restricted user, if Network manager was tagged
  • BZ - 1498131 - It allows me to have filter with same name twice when loading global filter
  • BZ - 1498232 - [Regression] appliance_console not enabling all required SCAP rules.
  • BZ - 1500050 - Cannot add Azure provider to CloudForms 4.2
  • BZ - 1500052 - Azure refreshes fail with [NameError]: wrong constant name $default
  • BZ - 1500067 - Cloudforms AWS image with Azure provider fails to discover entire environment
  • BZ - 1500995 - Unable to initiate VM console in VMware environment with 6.5 VC and ESXi 6.5
  • BZ - 1501478 - overwriting reports causes new runs of the report to not show data for some columns
  • BZ - 1502739 - Dynamic refresh ignored on Service Dialog elements if clicking submit without clicking out of refresh trigger element first
  • BZ - 1505417 - Records with duplicate timestamp in metrics rollup table
  • BZ - 1505458 - UI: PDF Download button is missing from the infra provider summary page (it is displayed for cloud providers)
  • BZ - 1505468 - Edit tags not working while navigating to instance through provider
  • BZ - 1505546 - [EUWE] HTML5 Console Does Not Display From SSUI/OPS UI VMWare
  • BZ - 1506626 - compute.instance.exists events
  • BZ - 1509420 - Queue workers are frequently querying pg_backend_pid
  • BZ - 1517712 - Storage Volume Attach give Unexpected Error
  • BZ - 1521043 - Azure NetworkManager refresh failure with "undefined method `source_address_prefix'" error

CVEs

  • CVE-2017-2664

References

  • https://access.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat CloudForms 4.2

SRPM
cfme-5.7.4.2-1.el7cf.src.rpm SHA-256: 067eb1f3b17afe5ecafe731b9b8e8d3e095b1896d523e25fc2f8493616e6145a
cfme-appliance-5.7.4.2-1.el7cf.src.rpm SHA-256: a22048b3780f0a8b291961519e547a94a9d3a25497810d2f39a15a06b461a664
cfme-gemset-5.7.4.2-1.el7cf.src.rpm SHA-256: 593c41baf5a66e3f240753996142947f143d541f437de29b762336f60b42fc0d
rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.src.rpm SHA-256: 8058ce54fd94de8b8b55b083d019361cd487ec6627d4a0be135ac08e2485e367
x86_64
cfme-5.7.4.2-1.el7cf.x86_64.rpm SHA-256: 723867feb37590045d16c9e26420535d32404ba9e97a44511f1aa534f1c41876
cfme-appliance-5.7.4.2-1.el7cf.x86_64.rpm SHA-256: 64f3a1a6801dc8373405e4724d66589fc28cfb27756bc9991a7ed452c94cece8
cfme-appliance-debuginfo-5.7.4.2-1.el7cf.x86_64.rpm SHA-256: 6a6a98f2c27118c3248e385575715a0ddd5781f5a219683d199f0e1bce6cc47c
cfme-debuginfo-5.7.4.2-1.el7cf.x86_64.rpm SHA-256: f5f0715845c3375d5d7c209c21a63ae2de0c9f6822915e3b09b11ad418f0f61b
cfme-gemset-5.7.4.2-1.el7cf.x86_64.rpm SHA-256: 8c0bfd22ff65d1513b306ef3300b0506b453718a7845df4528d6c515ee7009ba
rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.x86_64.rpm SHA-256: 70ee4b25ba7b6ef0a6a090cc2f62679428c51b39cbaef57634a5cfbb903f551a
rh-ruby23-rubygem-nokogiri-debuginfo-1.8.1-2.el7cf.x86_64.rpm SHA-256: b4948f28de0ba3de4df97c18e055a21a2375efca32c0dfd829a60a480511e0c9
rh-ruby23-rubygem-nokogiri-doc-1.8.1-2.el7cf.x86_64.rpm SHA-256: 09f5bfa6cd072b48e9e169f4a5dbfc323b6f8acf72c0e081207d324b46fc56c6

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
2023
  • Privacy Statement
  • Terms of Use
  • All Policies and Guidelines
We've updated our <a href='http://www.redhat.com/en/about/privacy-policy' class='privacy-policy'>Privacy Statement</a> effective September 15, 2023.
Red Hat Summit Red Hat Summit
Twitter