RHSA-2018:0374 - Security Advisory

Topic

An update is now available for CloudForms Management Engine 5.8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically.

Ansible Tower helps you scale IT automation, manage complex deployments and speed productivity. Centralize and control your IT infrastructure with a visual dashboard, role-based access control, job scheduling, integrated notifications and graphical inventory management. And Ansible Tower's REST API and CLI make it easy to embed Ansible Tower into existing tools and processes.

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

Security Fix(es):

• A flaw was found in the CloudForms account configuration when using VMware. By default, a shared account is used that has privileged access to VMRC (VMWare Remote Console) functions that may not be appropriate for users of CloudForms (and thus this account). An attacker could use this vulnerability to view and make changes to settings in the VMRC and virtual machines controlled by it that they should not have access to. (CVE-2017-12191)

This issue was discovered by Gellert Kis (Red Hat).

Additional Changes:

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted after installing this update.

Affected Products

• Red Hat CloudForms 4.5 x86_64

Fixes

• BZ - 1458929 - IE 11 on windows 7: On topology page entity icons are not displaying properly
• BZ - 1459190 - Block storage volume list configuration button attach/detach/delete actions are not working
• BZ - 1460377 - Missing Paginator on miq_request/show_list
• BZ - 1460815 - Formatting of Provider summary PDF file generated from provider summary page is very broken
• BZ - 1461164 - Attach/Detach volume to/from instance provides no flash message
• BZ - 1463422 - The 'Assigned Filters' setting in the Settings->Access Control->Groups->[group name] only applies to 'Hosts & Clusters', and not the Network providers.
• BZ - 1478518 - CFME reports VM migration passed when it fails on RHV side
• BZ - 1478520 - VM Migrate doesn't create notifications or log messages when migrations fail.
• BZ - 1479402 - [RFE] Support more Tower credential types
• BZ - 1479939 - Volumes: Get error while trying to edit cloud volume opened from availability zone page
• BZ - 1479940 - Volumes: Get 'Button not yet implemented' while adding tag to cloud volume opened from availability zone page
• BZ - 1481378 - Error provisioning VM, incompatible marshal file format
• BZ - 1481446 - Quota not using cloud volumes in requested resource calculation.
• BZ - 1487306 - Unable to perform any actions on cloud objects from list view when navigated to cloud tenants
• BZ - 1489697 - Missing servers in alert profile assignment screen
• BZ - 1490416 - Unexpected error message while adding new Cloud Subnet
• BZ - 1496900 - appliance_console crash when setting up standby node with no route to host
• BZ - 1496903 - Cockpit web console is not available for RHOS provider
• BZ - 1496904 - [AWS EBS] UI: "Configuration" for Cloud storage throws "Button not yet implemented" in flash message
• BZ - 1496907 - Others rendered as <Other(13)> on Utilization page of host/Cluster
• BZ - 1496908 - [Embedded Ansible] Show "Red Cross" Icon in notification instead of "Green Check Mark" if the Repo Addition is failed
• BZ - 1496909 - Duplicate flash msg at rates of chargeback
• BZ - 1496922 - Edit tags not working while navigating to instance through provider
• BZ - 1496925 - Custom Button does not display for Dashboard View of a Provider
• BZ - 1496930 - In block volume snapshot summary selecting volumes based on snapshot results in exception
• BZ - 1496931 - [Azure]Empty IPv6 configuration blocks Refresh of Azure Network Manager
• BZ - 1496932 - Refresh Failing - String Not Recognized Metric Type - OpenShift Hawkular
• BZ - 1496936 - retiring parent service doesn't retire child service
• BZ - 1496937 - VM Migrate gets an error sending completion email.
• BZ - 1496939 - Clicking x button in search box doesn't remove the search
• BZ - 1496943 - No indication of which image is currently being scanned when selecting multiple images
• BZ - 1496945 - UI elements not loading and reporting widgets not showing data points
• BZ - 1496947 - Service Retirements (which work correctly) result in two separate emails to service owner
• BZ - 1496949 - Image SSA - image-inspector unable to pull image - pod_wait is not permitted at state finished
• BZ - 1497209 - User unable to login when role permissions restricted to Everything->Settings
• BZ - 1498506 - Wrong hover view after selecting Red Hat Insights in main navigation
• BZ - 1498511 - Hover view of main navigation disappearing for Compute/Infrastructure/[Networking]
• BZ - 1498516 - Wrong hover view after selecting Middleware/Domains in main navigation
• BZ - 1498518 - Hover view of main navigation disappears after selecting Services/Requests
• BZ - 1498525 - Scroll bar not appearing when looking at notifications
• BZ - 1498542 - date dialogs with "Show Past Dates" unchecked still allow selection of past dates
• BZ - 1498544 - Some Navigation menus are not highlighted
• BZ - 1498891 - Container Product Feature in a Role Required for VM Visibility Menu Box
• BZ - 1500029 - [RFE] widget import file; the page goes blank on custom report page
• BZ - 1500445 - WebMKS Console : Proxy Error
• BZ - 1500448 - WebMKS Console: Some Javascript Error
• BZ - 1500517 - CVE-2017-12191 CFME: VMRC plugin console grants users administrative access
• BZ - 1500808 - UI: infinispinner appears when clicking on Add or cancel button of copy report for Guest OS Information-any OS
• BZ - 1500954 - DetachVolume is missing in AWS EBS cloudwatch event catcher
• BZ - 1501475 - overwriting reports causes new runs of the report to not show data for some columns
• BZ - 1501481 - Edit cloud instance:Show parent and child VMs details for cloud instances too
• BZ - 1501524 - Ansible playbook service max TTL is always divisible by 100
• BZ - 1501897 - Container Providers -> Topology View raises 'capitalize' error
• BZ - 1503611 - Toast notifications missing error icon
• BZ - 1503639 - RHV provider VM Quad icon page: VM power 'reset' option do not fail as expected.
• BZ - 1504199 - RFE: Expose Disks in the ServiceModel through Hardware
• BZ - 1504775 - Wrong flash message displayed when import/commit widget
• BZ - 1505415 - Records with duplicate timestamp in metrics rollup table
• BZ - 1505456 - UI: PDF Download button is missing from the infra provider summary page (it is displayed for cloud providers)
• BZ - 1505501 - [DOC] Cannot copy a built in OpenSCAP policy
• BZ - 1505503 - container group creation\deletion rates are miscalculated for container projects
• BZ - 1505545 - HTML5 Console Does Not Display From SSUI/OPS UI VMWare
• BZ - 1505951 - Azure extra disk information of VM is not showing from CFME which prevents Chargeback calculation for the usage.
• BZ - 1506624 - compute.instance.exists events
• BZ - 1509008 - Global Region Widget doesn't have data
• BZ - 1509024 - "Orders" should be "My Orders"
• BZ - 1509378 - Error messages disappear when clicked or text selected.
• BZ - 1509391 - [REGRESSION][AZURE]Can't provision VM from private image
• BZ - 1509414 - Missing notification type icons in the Notification Drawer
• BZ - 1509419 - Queue workers are frequently querying pg_backend_pid
• BZ - 1509423 - [ja_JP][fr_FR] ON/OFF button varies in size on 'Manage quotas for Tenant'
• BZ - 1510054 - Do not purge session if there are no sessions
• BZ - 1510142 - Cannot ommit Compute->Containers->Containers from RBAC role.
• BZ - 1510175 - managed disks are not removed as part of azure stack retirement
• BZ - 1510241 - Filters under Job Templates do not work properly
• BZ - 1510564 - error while syncing openstack tenants : failed to save the new source_tenant
• BZ - 1510698 - chargeback filters selection issue
• BZ - 1511032 - VM retirement fails when using ovirt-engine SDK (V4)
• BZ - 1511125 - Unable to delete Cloud Network in Cloud Networks View
• BZ - 1511130 - CloudForms does not show region-level Utilization from "Optimize" -> "Utilization" menu
• BZ - 1511135 - 'Optimize > Utilization' only shows a subset of providers
• BZ - 1511142 - Wrong units of net_usage_rate_average in containers metrics
• BZ - 1511144 - Cancellation of 'Create New Host Aggregate' with empty values showing warning
• BZ - 1511147 - unable to scan lvm2 partitions that were thin provisioned under rhevm 4.1
• BZ - 1511196 - Typo or bug in openstack network_manager refresh parser.
• BZ - 1511502 - set_network_adapter method erroring out with undefined method `[]' for nil:NilClass')]
• BZ - 1511517 - When provisioning an Ansible Embedded playbook, dialog's service_name does not set the service name
• BZ - 1511528 - Group Filters: Selected host is deselected after group saving
• BZ - 1511548 - RHOS 12 tenants are not mapped to CFME
• BZ - 1511595 - Several broken associations in container-related service models
• BZ - 1512661 - [RFE] [v2v] There are unsupported v2v operations, that could have been blocked at the v2v submit stage
• BZ - 1512665 - selection doesn't move along with added/copied Condition in Control->Explorer->Policies treeview
• BZ - 1512667 - Network deletion provided with no flash message
• BZ - 1512694 - Inconsistency between filled name and name in accordion of Provision Dialogs
• BZ - 1512695 - Unexpected error encountered while downloading pdf from configuration profile
• BZ - 1512706 - vmdb size constantly increasing 1+gb a day
• BZ - 1512728 - Azure - Disk properties missing or incorrect
• BZ - 1512955 - [v2v] Add a warning to user, in case trying to run v2v for windows VM, without installing the required drivers
• BZ - 1512967 - Smartstate Analysis Snapshot of Azure Managed Disks fails with "The value of parameter snapshot.name is invalid. (cause: 400 Bad Request) creating SSA Snapshot" if the disk name exceeds 60 characters.
• BZ - 1513124 - PG String Data Right Truncation error: Value too long for type character varying(255)
• BZ - 1513509 - Region was offline - after a restart region has lost all data
• BZ - 1513699 - unable to provision against SCVMM with "VMM is unable to perform this operation without a connection to a Virtual Machine Manager management server"
• BZ - 1514139 - Embedded ansible fails to start. Can't create credentials or add repositories.
• BZ - 1514184 - Chargeback report is not available after deleting linked task
• BZ - 1514570 - Changing cloud volumes in a service provisioning dialog still runs with original value.
• BZ - 1515367 - Ops UI service catalog list view displays a cube icon rather than the user's uploaded icon
• BZ - 1515402 - No flash message during duplicate class add.
• BZ - 1515407 - Inconsistency between customization template name and description while deletion
• BZ - 1515416 - VMware WebMKS Console: Does not support CTRL+ALT+DEL Input
• BZ - 1515426 - Button 'Save' is always disabled on Edit Subnet Page
• BZ - 1515483 - Azure Smart State on Windows VM throwing error "undefined method `[]' for nil:NilClass" in evm.log
• BZ - 1518357 - Container Image openSCAP compliance check doesn't response for several Images
• BZ - 1518368 - Duplicate Customization Template name doesn't show flash error message
• BZ - 1518372 - [RFE] Service pane service/explorer Unexpecting error encountered
• BZ - 1518374 - Quota - exclude orphaned VMs from used counts
• BZ - 1518383 - Unable to clone OSP template.Blank page displayed when clicked on clone template
• BZ - 1518392 - Chargeback rate assignment page doesn't show duplicate clusters
• BZ - 1518600 - Element Name must be alphanumeric characters and underscores without spaces
• BZ - 1519809 - setting certain types of filters can cause puma to consume all cpu
• BZ - 1519910 - Smart State Analysis doesn't show data in "Patches" and "Registry Entries" etc for Windows VM.
• BZ - 1519915 - Mismatch between cloud volume table and details
• BZ - 1519987 - Logging of the server process memory/cpu (MiqServer.log_status) is incorrect
• BZ - 1520541 - Multiple cloud volumes can't be added in Catalog
• BZ - 1520557 - error "undefined method `[]=' for nil:NilClass" while syncing against rhevm 3.6
• BZ - 1521036 - Azure NetworkManager refresh failure with "undefined method `source_address_prefix'" error
• BZ - 1522951 - Re-enable Web Console button.
• BZ - 1523402 - Classification validation errors in seeding keep server from starting
• BZ - 1523404 - VMWare WebMKS consoles do not proxy sessions as VNC sessions do in CloudForms
• BZ - 1523408 - C & U collection tab empty and fatal error appears in production log
• BZ - 1523771 - Attempting to collect power status during retirement can cause exception
• BZ - 1523773 - policy profile doesn't get selected in Policy Profiles when policy profile is clicked in one of timelines events
• BZ - 1523774 - Wrong project names on Ad Hoc matrics page cause to internal server error
• BZ - 1523777 - Access Control: No option to 'Delete selected Groups' when selecting multiple groups under Access Control EVM Groups
• BZ - 1523788 - Setting Start Page to Container/Explorer sets to URL to an invalid URL
• BZ - 1523851 - Azure Network Manager refreshes fail with 'undefined method `[]' for nil:NilClass' when executing parse_load_balancer_pool_members
• BZ - 1523855 - Prevent scaling down with scale provider
• BZ - 1524646 - Backport cloud_subnet API collections to CloudForms
• BZ - 1525092 - long loading times of the self service portal dialogs
• BZ - 1525551 - Provision Error "A specified parameter was not correct: spec. nicSettingMap.adapter.ip" under VMware after VM cloning from template.
• BZ - 1525563 - Drift analysis table shows double icons
• BZ - 1525583 - No event in timeline for the web console activity in RHV41
• BZ - 1526040 - Tagged Datastores in chargeback storage don't work
• BZ - 1526473 - Large MiqServer process leads to large generic workers that get killed
• BZ - 1527676 - SSUI: Error while adding to shopping cart: `Must specify a service_template_href for adding a service_request`
• BZ - 1530653 - Unable to set control policies for Kubernetes Events from OpenShift
• BZ - 1530708 - No ESX 6.5 platform filter
• BZ - 1530717 - Empty page on Cloud Volume page
• BZ - 1531146 - configuration options are not correctly being logged into last_boot.log and the evm.log
• BZ - 1531147 - Can't register RHSM or apply cfme updates through webui on IPV6 only appliance
• BZ - 1531156 - [RFE] VCloud provider log and debug option in adv config
• BZ - 1531161 - [Regression] Quota check for users errors out with "no implicit conversion of nil into String" for service provisioning
• BZ - 1531177 - Got unexpected API result object Array
• BZ - 1531178 - Duplicate field called Type in Expression Field
• BZ - 1531256 - When provisioning an Azure instance and selecting NONE for the Public IP Address option a public IP is still assigned.
• BZ - 1531261 - Could not determine root drive letter on Azure Windows 2016 Datacenter VM
• BZ - 1531262 - Can not delete schedules from schedules details page
• BZ - 1531274 - UI of Adding a new group page is different in en_US vs non en_US language
• BZ - 1531554 - [Regression] C&U data can't be fetched for cloud providers
• BZ - 1531615 - C&U Host Graph: Drilling graph for VM with Group by some tag gives unexpected error.
• BZ - 1531618 - C&U Availability Zone Graph: Drilling graph for Instances with Group by some tag gives unexpected error.
• BZ - 1531619 - C&U Cluster Graph: Drilling graph for VM/ Host with Group by some tag gives unexpected error.
• BZ - 1532328 - Authentication issue for api/automation_requests call to Master in multi-region setup
• BZ - 1532854 - Smartstate request taking too long is killed because Worker Monitoring Code incorrectly thinks the busy Smartproxy Worker is not responding
• BZ - 1532857 - custom reports not visible to group/role that could see them prior to recent upgrade
• BZ - 1533167 - Unexpected error encountered while accessing policy event timeline in availability zones
• BZ - 1533169 - WebMKS Console: Toggle Full Screen button does not work on Internet Explorer 11
• BZ - 1533171 - [Regression] HTML5 Console: Toggle Full Screen button does not work on Internet Explorer 11
• BZ - 1534584 - Cloudforms: Event VMDestroy_Task does not exists under event list
• BZ - 1534589 - Quota fails when an active Service request contains an Invalid service_template.
• BZ - 1534591 - Cannot start worker service (evmserverd)
• BZ - 1534601 - [Regression] VM console button is wrongly disabled based on VMware Console Support Configuration from OPS UI
• BZ - 1536052 - Unable to browse VM Summary Screen with a NULL Custom Attribute name
• BZ - 1536672 - Memory Leak in MiqServer process
• BZ - 1537015 - [Embedded Ansible] - Credentials of SCM/Machine repository cannot be edited
• BZ - 1537145 - Edit tag page doesn't open for subnets and routers list opened from network details
• BZ - 1537284 - When provisioning VM in Azure, errors do not appear in UI for certain field
• BZ - 1538349 - [SCVMM] Destination placement_host_name not provided
• BZ - 1538350 - Tag: Restricted items can be selected in drop downs while creation/editing, which cause unexpected error
• BZ - 1538351 - Can't retire stack from details view
• BZ - 1539752 - [RFE] Naming Runs Before Parsed Dialog: Dialog Options missing via prov.get_tags or prov.get_option
• BZ - 1540699 - Selecting filter with "expression Service: Aggregate All Vm Cpus" results in exception
• BZ - 1541072 - After Openstack 10 triggers an "unknown" state on instances, when it recovers Cloudforms duplicates vms instead of recovering them
• BZ - 1542170 - chargeback assignment reset to <Nothing> if another container provider is assigned a rate
• BZ - 1542240 - Change VMware console api detection from vCenter to ESXi Host
• BZ - 1542577 - VMs powered event on/off and vms powered off RSS links are broken
• BZ - 1542741 - Object store objects and containers are not synched to CFME UI and swift manager refresh ends with errors
• BZ - 1543121 - service dialogs api calls create and edit inconsistency - cfme version 5.8.2.3
• BZ - 1543150 - Smartstate Analysis greyed out on workers not in a provider zone (webui zone)
• BZ - 1543172 - Quota - Active provisions calculations allow quota to be over allocated

CVEs

• CVE-2017-12191

References

• https://access.redhat.com/security/updates/classification/#important