Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2017:3484 - Security Advisory
Issued:
2017-12-18
Updated:
2017-12-18

RHSA-2017:3484 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: Red Hat CloudForms security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for cfme, cfme-appliance, and cfme-gemset is now available for CloudForms Management Engine 5.7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

CloudForms Management Engine Appliance.

CloudForms Management Engine Gemset.

Security Fix(es):

  • CloudForms lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails applications portion of CloudForms to escalate privileges. (CVE-2017-2664)

This issue was discovered by Libor Pichler (Red Hat) and Martin Povolny (Red Hat).

Additional Changes:

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat CloudForms 4.2 x86_64

Fixes

  • BZ - 1344690 - ActionController::RoutingError in automation simulation tree
  • BZ - 1401560 - Missing buttons Graph view, Hybrid view, Table view and missing option Show full screen report
  • BZ - 1424267 - selection doesn't move along with added/copied Condition in Control->Explorer->Policies treeview
  • BZ - 1429962 - UI: VM "Edit Management Engine Relationship", 'Save' problem mal functionning
  • BZ - 1435393 - CVE-2017-2664 CloudForms: lack of RBAC on various methods in web UI
  • BZ - 1440105 - UI: Tasks are using an old icons for Task State.
  • BZ - 1449404 - IE 11 on windows 7: On topology page entity icons are not displaying properly
  • BZ - 1451831 - [Ansible Tower] - Ansible Tower Jobs - relationships table - undefined method when clicking on Service
  • BZ - 1457979 - After killing reporting worker, report status still says Running
  • BZ - 1458287 - Incorrect padding in Actions and Conditions selection screens
  • BZ - 1460149 - [Ansible Tower] - Unexpected error when clicking on successful job
  • BZ - 1460656 - WebUI:Tag Visibility - Ansible Tower Job Templates should honor tag visiblity
  • BZ - 1460696 - HTML in node names of Control/Simulation tree
  • BZ - 1460938 - Unexpected error encountered while clicking on "Download PDF" button on Switch page
  • BZ - 1462104 - [Amazon EC2] - ManageIQ string in PDF filename of Network provider and in PDF title
  • BZ - 1462146 - Access Web Console Cockpit not compatible with Windows VMs
  • BZ - 1463265 - Missing id attribute on Cloud->Instance Edit form, Child VM MultiBoxSelect
  • BZ - 1465077 - CFME collects C&U metrics even before resource creation
  • BZ - 1465079 - report vm and instances field 'Provision.Request : Approved By' does not apply any styling
  • BZ - 1465080 - The IP version (network protocol) is not displayed when editing cloud subnets
  • BZ - 1465081 - Formatting of Provider summary PDF file generated from provider summary page is very broken
  • BZ - 1465082 - [SDN][Tags] - Redirection to Network provider summary page page after tag is saved
  • BZ - 1465083 - Tag Visibility | Cloud Stack: Tag is not added if stack list opened from provider detail page
  • BZ - 1465084 - service now integrations for determining host_name return empty array
  • BZ - 1465086 - Hourly metrics_## tables grow filling up the VMDB filesystem when real-time purges fail
  • BZ - 1465088 - Service template provisioning request do not honour quotas
  • BZ - 1465090 - "Items" keyword in the dropdown list values of Default Items Per Page in my settings
  • BZ - 1465091 - [RFE] External Auth - AD - samba-common-tools and deps missing from appliance.
  • BZ - 1465093 - The 'Assigned Filters' setting in the Settings->Access Control->Groups->[group name] only applies to 'Hosts & Clusters', and not the Network providers.
  • BZ - 1465415 - Service Retirement not working properly for Orchestration Stacks due to missing zone.
  • BZ - 1468593 - Check for blank password in database configuration to avoid postgres errors
  • BZ - 1468606 - Azure refresh fails if provider has no orchestration stacks
  • BZ - 1468612 - prevent two miq servers from starting
  • BZ - 1468613 - Remote VNC/SPICE consoles lack logging when the remote endpoint is inaccessible
  • BZ - 1468614 - Not able to retire VM/instance via API unless "Set Retirement Date" feature is checked for role
  • BZ - 1468633 - websocket connection leaks causing failed connections
  • BZ - 1469297 - Unable to select the Azure region UK South
  • BZ - 1469703 - performance issue in openstack collection
  • BZ - 1471201 - Replace nodejs010 with node from SCL in appliances
  • BZ - 1471202 - Unable to save trusted forest Settings
  • BZ - 1471204 - Not possible to refresh automate from GIT using API call
  • BZ - 1471315 - Tag with Key 'Name' and a nil Value Breaks Refresh for AWS
  • BZ - 1472364 - Productized border at top of page should be red not blue
  • BZ - 1472381 - Ansible tower job templates filters are not displayed
  • BZ - 1472383 - Deleted labels still show up in CFME after provider refresh
  • BZ - 1472384 - Some container resources not cleaned up after removal from Openshift - research
  • BZ - 1472806 - <Choose> found as option in drop down service dialogs
  • BZ - 1473271 - Raise MiqProvisionError if instance is in error state
  • BZ - 1475020 - Drop Down List Dialog does not keep default value for Integer type
  • BZ - 1475031 - After applying errata 5.7.3.2 some dialog field default values are missing in the self-service portal
  • BZ - 1476270 - Validation Credentials fails for OSP 10 Provider with AD "domain" user
  • BZ - 1476279 - OpenStack cloud provider refresh error: Flavor <flavor id> could not be found
  • BZ - 1476284 - After Applying ERRATA-RHSA-2017:1601 full refreshes are being trigged frequently
  • BZ - 1476296 - Unable to perform power control operations on stack instance when navigated through stack summary page
  • BZ - 1476395 - OSP: when validating an account with access to many projects, it checks each, and times out
  • BZ - 1477195 - AD with external auth, When doing group lookup for user group SID number is displayed instead of Group name
  • BZ - 1477617 - Validation failed: Status is not included in the list
  • BZ - 1477722 - Unable to provision against vmware with "multiple parents found" error
  • BZ - 1477723 - zones of sub region show up as zones appliances of a central region can move to
  • BZ - 1477725 - Search field disappears when user clicks view selector after user input dialog on Compute->Infrastructure->All VMs page
  • BZ - 1477727 - Refresh failed for VMware Provider in Cloudforms 4.5
  • BZ - 1478368 - User unable to tick the check boxes of the folder while assigning the Alert profile
  • BZ - 1479377 - Provisioning to MS SCVMM Uses host.name instead of host.hostname
  • BZ - 1479410 - incorrect value used in stock automation wait_for_completion
  • BZ - 1480630 - prefetch_below_threshold? failure after AWS upgrade
  • BZ - 1481743 - UI: "Unexpected error encountered" when Downloading report in text,csv and pdf format
  • BZ - 1481859 - Provisions via Users in multiple groups in tenants in SSUI result in VMs being provisioned to wrong group/tenant
  • BZ - 1481862 - Azure inventory collection fails with missing instances for west-india region
  • BZ - 1481864 - Datasources Download .txt truncates host-name
  • BZ - 1481865 - Unable to provision HyperV networking properly
  • BZ - 1481867 - Unable to provision against vmware due to "unknown method xsiType"
  • BZ - 1481870 - Quota not using cloud volumes in requested resource calculation.
  • BZ - 1482151 - Missing Icon of power state - migrating
  • BZ - 1482672 - Workers processing a miq_queue message that exceed the memory threshold aren't given enough time to exit gracefully
  • BZ - 1484387 - Setting VM ownership on more than 100 VMs at a time causing server error status 400 bad request
  • BZ - 1484541 - Custom button not passing target object to dynamic dialog fields
  • BZ - 1484549 - [RFE] Add config option to skip container_images
  • BZ - 1487280 - Refresh fails: undefined method `[]' for nil:NilClass in `parse_image_name'
  • BZ - 1487289 - [RFE] Include EvmRole-reader as read-only role in the fixtures
  • BZ - 1487297 - [RFE] The azure image as built cannot be used in azure.
  • BZ - 1487307 - Unable to perform any actions on cloud objects from list view when navigated to cloud tenants
  • BZ - 1487321 - Unable to access filter tab while Editing chargeback for projects report
  • BZ - 1487323 - Save only used OpenShift images with labels/tags
  • BZ - 1487686 - Drop down history toolbar button on Import/Export report page is not needed, should be removed.
  • BZ - 1487694 - UI elements not loading and reporting widgets not showing data points
  • BZ - 1490434 - Clicking x button in search box doesn't remove the search
  • BZ - 1491576 - [Regression] Unable to assign actions to a policy
  • BZ - 1492158 - Quota management doesn't work according the expected
  • BZ - 1492867 - Dashboard shows 2 for "retiring soon" services but clicking on that link shows None
  • BZ - 1493700 - HTML5 VNC Remote Console: Remove VNC proxy from the UI
  • BZ - 1494189 - vc refreshes are preventing full refreshes
  • BZ - 1495971 - setting a dynamic dialog to "required = True" is not saved
  • BZ - 1496597 - Setting memory_reserve lower than vm_memory failed
  • BZ - 1497522 - Deleted VM is moved to status Orphan, though it should move to Archived.
  • BZ - 1497748 - Editing Name of a Category via API breaks Chargeback Assignments
  • BZ - 1498095 - Tag/Networks: Cloud Network list is available for restricted user, if Network manager was tagged
  • BZ - 1498131 - It allows me to have filter with same name twice when loading global filter
  • BZ - 1498232 - [Regression] appliance_console not enabling all required SCAP rules.
  • BZ - 1500050 - Cannot add Azure provider to CloudForms 4.2
  • BZ - 1500052 - Azure refreshes fail with [NameError]: wrong constant name $default
  • BZ - 1500067 - Cloudforms AWS image with Azure provider fails to discover entire environment
  • BZ - 1500995 - Unable to initiate VM console in VMware environment with 6.5 VC and ESXi 6.5
  • BZ - 1501478 - overwriting reports causes new runs of the report to not show data for some columns
  • BZ - 1502739 - Dynamic refresh ignored on Service Dialog elements if clicking submit without clicking out of refresh trigger element first
  • BZ - 1505417 - Records with duplicate timestamp in metrics rollup table
  • BZ - 1505458 - UI: PDF Download button is missing from the infra provider summary page (it is displayed for cloud providers)
  • BZ - 1505468 - Edit tags not working while navigating to instance through provider
  • BZ - 1505546 - [EUWE] HTML5 Console Does Not Display From SSUI/OPS UI VMWare
  • BZ - 1506626 - compute.instance.exists events
  • BZ - 1509420 - Queue workers are frequently querying pg_backend_pid
  • BZ - 1517712 - Storage Volume Attach give Unexpected Error
  • BZ - 1521043 - Azure NetworkManager refresh failure with "undefined method `source_address_prefix'" error

CVEs

  • CVE-2017-2664

References

  • https://access.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat CloudForms 4.2

SRPM
cfme-5.7.4.2-1.el7cf.src.rpm SHA-256: 067eb1f3b17afe5ecafe731b9b8e8d3e095b1896d523e25fc2f8493616e6145a
cfme-appliance-5.7.4.2-1.el7cf.src.rpm SHA-256: a22048b3780f0a8b291961519e547a94a9d3a25497810d2f39a15a06b461a664
cfme-gemset-5.7.4.2-1.el7cf.src.rpm SHA-256: 593c41baf5a66e3f240753996142947f143d541f437de29b762336f60b42fc0d
rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.src.rpm SHA-256: 8058ce54fd94de8b8b55b083d019361cd487ec6627d4a0be135ac08e2485e367
x86_64
cfme-5.7.4.2-1.el7cf.x86_64.rpm SHA-256: 723867feb37590045d16c9e26420535d32404ba9e97a44511f1aa534f1c41876
cfme-appliance-5.7.4.2-1.el7cf.x86_64.rpm SHA-256: 64f3a1a6801dc8373405e4724d66589fc28cfb27756bc9991a7ed452c94cece8
cfme-appliance-debuginfo-5.7.4.2-1.el7cf.x86_64.rpm SHA-256: 6a6a98f2c27118c3248e385575715a0ddd5781f5a219683d199f0e1bce6cc47c
cfme-debuginfo-5.7.4.2-1.el7cf.x86_64.rpm SHA-256: f5f0715845c3375d5d7c209c21a63ae2de0c9f6822915e3b09b11ad418f0f61b
cfme-gemset-5.7.4.2-1.el7cf.x86_64.rpm SHA-256: 8c0bfd22ff65d1513b306ef3300b0506b453718a7845df4528d6c515ee7009ba
rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.x86_64.rpm SHA-256: 70ee4b25ba7b6ef0a6a090cc2f62679428c51b39cbaef57634a5cfbb903f551a
rh-ruby23-rubygem-nokogiri-debuginfo-1.8.1-2.el7cf.x86_64.rpm SHA-256: b4948f28de0ba3de4df97c18e055a21a2375efca32c0dfd829a60a480511e0c9
rh-ruby23-rubygem-nokogiri-doc-1.8.1-2.el7cf.x86_64.rpm SHA-256: 09f5bfa6cd072b48e9e169f4a5dbfc323b6f8acf72c0e081207d324b46fc56c6

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility