RHSA-2017:3484 - Security Advisory

Topic

An update for cfme, cfme-appliance, and cfme-gemset is now available for CloudForms Management Engine 5.7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

CloudForms Management Engine Appliance.

CloudForms Management Engine Gemset.

Security Fix(es):

• CloudForms lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails applications portion of CloudForms to escalate privileges. (CVE-2017-2664)

This issue was discovered by Libor Pichler (Red Hat) and Martin Povolny (Red Hat).

Additional Changes:

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat CloudForms 4.2 x86_64

Fixes

• BZ - 1344690 - ActionController::RoutingError in automation simulation tree
• BZ - 1401560 - Missing buttons Graph view, Hybrid view, Table view and missing option Show full screen report
• BZ - 1424267 - selection doesn't move along with added/copied Condition in Control->Explorer->Policies treeview
• BZ - 1429962 - UI: VM "Edit Management Engine Relationship", 'Save' problem mal functionning
• BZ - 1435393 - CVE-2017-2664 CloudForms: lack of RBAC on various methods in web UI
• BZ - 1440105 - UI: Tasks are using an old icons for Task State.
• BZ - 1449404 - IE 11 on windows 7: On topology page entity icons are not displaying properly
• BZ - 1451831 - [Ansible Tower] - Ansible Tower Jobs - relationships table - undefined method when clicking on Service
• BZ - 1457979 - After killing reporting worker, report status still says Running
• BZ - 1458287 - Incorrect padding in Actions and Conditions selection screens
• BZ - 1460149 - [Ansible Tower] - Unexpected error when clicking on successful job
• BZ - 1460656 - WebUI:Tag Visibility - Ansible Tower Job Templates should honor tag visiblity
• BZ - 1460696 - HTML in node names of Control/Simulation tree
• BZ - 1460938 - Unexpected error encountered while clicking on "Download PDF" button on Switch page
• BZ - 1462104 - [Amazon EC2] - ManageIQ string in PDF filename of Network provider and in PDF title
• BZ - 1462146 - Access Web Console Cockpit not compatible with Windows VMs
• BZ - 1463265 - Missing id attribute on Cloud->Instance Edit form, Child VM MultiBoxSelect
• BZ - 1465077 - CFME collects C&U metrics even before resource creation
• BZ - 1465079 - report vm and instances field 'Provision.Request : Approved By' does not apply any styling
• BZ - 1465080 - The IP version (network protocol) is not displayed when editing cloud subnets
• BZ - 1465081 - Formatting of Provider summary PDF file generated from provider summary page is very broken
• BZ - 1465082 - [SDN][Tags] - Redirection to Network provider summary page page after tag is saved
• BZ - 1465083 - Tag Visibility | Cloud Stack: Tag is not added if stack list opened from provider detail page
• BZ - 1465084 - service now integrations for determining host_name return empty array
• BZ - 1465086 - Hourly metrics_## tables grow filling up the VMDB filesystem when real-time purges fail
• BZ - 1465088 - Service template provisioning request do not honour quotas
• BZ - 1465090 - "Items" keyword in the dropdown list values of Default Items Per Page in my settings
• BZ - 1465091 - [RFE] External Auth - AD - samba-common-tools and deps missing from appliance.
• BZ - 1465093 - The 'Assigned Filters' setting in the Settings->Access Control->Groups->[group name] only applies to 'Hosts & Clusters', and not the Network providers.
• BZ - 1465415 - Service Retirement not working properly for Orchestration Stacks due to missing zone.
• BZ - 1468593 - Check for blank password in database configuration to avoid postgres errors
• BZ - 1468606 - Azure refresh fails if provider has no orchestration stacks
• BZ - 1468612 - prevent two miq servers from starting
• BZ - 1468613 - Remote VNC/SPICE consoles lack logging when the remote endpoint is inaccessible
• BZ - 1468614 - Not able to retire VM/instance via API unless "Set Retirement Date" feature is checked for role
• BZ - 1468633 - websocket connection leaks causing failed connections
• BZ - 1469297 - Unable to select the Azure region UK South
• BZ - 1469703 - performance issue in openstack collection
• BZ - 1471201 - Replace nodejs010 with node from SCL in appliances
• BZ - 1471202 - Unable to save trusted forest Settings
• BZ - 1471204 - Not possible to refresh automate from GIT using API call
• BZ - 1471315 - Tag with Key 'Name' and a nil Value Breaks Refresh for AWS
• BZ - 1472364 - Productized border at top of page should be red not blue
• BZ - 1472381 - Ansible tower job templates filters are not displayed
• BZ - 1472383 - Deleted labels still show up in CFME after provider refresh
• BZ - 1472384 - Some container resources not cleaned up after removal from Openshift - research
• BZ - 1472806 - <Choose> found as option in drop down service dialogs
• BZ - 1473271 - Raise MiqProvisionError if instance is in error state
• BZ - 1475020 - Drop Down List Dialog does not keep default value for Integer type
• BZ - 1475031 - After applying errata 5.7.3.2 some dialog field default values are missing in the self-service portal
• BZ - 1476270 - Validation Credentials fails for OSP 10 Provider with AD "domain" user
• BZ - 1476279 - OpenStack cloud provider refresh error: Flavor <flavor id> could not be found
• BZ - 1476284 - After Applying ERRATA-RHSA-2017:1601 full refreshes are being trigged frequently
• BZ - 1476296 - Unable to perform power control operations on stack instance when navigated through stack summary page
• BZ - 1476395 - OSP: when validating an account with access to many projects, it checks each, and times out
• BZ - 1477195 - AD with external auth, When doing group lookup for user group SID number is displayed instead of Group name
• BZ - 1477617 - Validation failed: Status is not included in the list
• BZ - 1477722 - Unable to provision against vmware with "multiple parents found" error
• BZ - 1477723 - zones of sub region show up as zones appliances of a central region can move to
• BZ - 1477725 - Search field disappears when user clicks view selector after user input dialog on Compute->Infrastructure->All VMs page
• BZ - 1477727 - Refresh failed for VMware Provider in Cloudforms 4.5
• BZ - 1478368 - User unable to tick the check boxes of the folder while assigning the Alert profile
• BZ - 1479377 - Provisioning to MS SCVMM Uses host.name instead of host.hostname
• BZ - 1479410 - incorrect value used in stock automation wait_for_completion
• BZ - 1480630 - prefetch_below_threshold? failure after AWS upgrade
• BZ - 1481743 - UI: "Unexpected error encountered" when Downloading report in text,csv and pdf format
• BZ - 1481859 - Provisions via Users in multiple groups in tenants in SSUI result in VMs being provisioned to wrong group/tenant
• BZ - 1481862 - Azure inventory collection fails with missing instances for west-india region
• BZ - 1481864 - Datasources Download .txt truncates host-name
• BZ - 1481865 - Unable to provision HyperV networking properly
• BZ - 1481867 - Unable to provision against vmware due to "unknown method xsiType"
• BZ - 1481870 - Quota not using cloud volumes in requested resource calculation.
• BZ - 1482151 - Missing Icon of power state - migrating
• BZ - 1482672 - Workers processing a miq_queue message that exceed the memory threshold aren't given enough time to exit gracefully
• BZ - 1484387 - Setting VM ownership on more than 100 VMs at a time causing server error status 400 bad request
• BZ - 1484541 - Custom button not passing target object to dynamic dialog fields
• BZ - 1484549 - [RFE] Add config option to skip container_images
• BZ - 1487280 - Refresh fails: undefined method `[]' for nil:NilClass in `parse_image_name'
• BZ - 1487289 - [RFE] Include EvmRole-reader as read-only role in the fixtures
• BZ - 1487297 - [RFE] The azure image as built cannot be used in azure.
• BZ - 1487307 - Unable to perform any actions on cloud objects from list view when navigated to cloud tenants
• BZ - 1487321 - Unable to access filter tab while Editing chargeback for projects report
• BZ - 1487323 - Save only used OpenShift images with labels/tags
• BZ - 1487686 - Drop down history toolbar button on Import/Export report page is not needed, should be removed.
• BZ - 1487694 - UI elements not loading and reporting widgets not showing data points
• BZ - 1490434 - Clicking x button in search box doesn't remove the search
• BZ - 1491576 - [Regression] Unable to assign actions to a policy
• BZ - 1492158 - Quota management doesn't work according the expected
• BZ - 1492867 - Dashboard shows 2 for "retiring soon" services but clicking on that link shows None
• BZ - 1493700 - HTML5 VNC Remote Console: Remove VNC proxy from the UI
• BZ - 1494189 - vc refreshes are preventing full refreshes
• BZ - 1495971 - setting a dynamic dialog to "required = True" is not saved
• BZ - 1496597 - Setting memory_reserve lower than vm_memory failed
• BZ - 1497522 - Deleted VM is moved to status Orphan, though it should move to Archived.
• BZ - 1497748 - Editing Name of a Category via API breaks Chargeback Assignments
• BZ - 1498095 - Tag/Networks: Cloud Network list is available for restricted user, if Network manager was tagged
• BZ - 1498131 - It allows me to have filter with same name twice when loading global filter
• BZ - 1498232 - [Regression] appliance_console not enabling all required SCAP rules.
• BZ - 1500050 - Cannot add Azure provider to CloudForms 4.2
• BZ - 1500052 - Azure refreshes fail with [NameError]: wrong constant name $default
• BZ - 1500067 - Cloudforms AWS image with Azure provider fails to discover entire environment
• BZ - 1500995 - Unable to initiate VM console in VMware environment with 6.5 VC and ESXi 6.5
• BZ - 1501478 - overwriting reports causes new runs of the report to not show data for some columns
• BZ - 1502739 - Dynamic refresh ignored on Service Dialog elements if clicking submit without clicking out of refresh trigger element first
• BZ - 1505417 - Records with duplicate timestamp in metrics rollup table
• BZ - 1505458 - UI: PDF Download button is missing from the infra provider summary page (it is displayed for cloud providers)
• BZ - 1505468 - Edit tags not working while navigating to instance through provider
• BZ - 1505546 - [EUWE] HTML5 Console Does Not Display From SSUI/OPS UI VMWare
• BZ - 1506626 - compute.instance.exists events
• BZ - 1509420 - Queue workers are frequently querying pg_backend_pid
• BZ - 1517712 - Storage Volume Attach give Unexpected Error
• BZ - 1521043 - Azure NetworkManager refresh failure with "undefined method `source_address_prefix'" error

CVEs

• CVE-2017-2664

References

• https://access.redhat.com/security/updates/classification/#important