Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2018:1972 - Security Advisory
Issued:
2018-06-25
Updated:
2018-06-25

RHSA-2018:1972 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: Red Hat CloudForms security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for CloudForms Management Engine 5.8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development.

Security Fix(es):

  • python-paramiko: Authentication bypass in transport.py (CVE-2018-7750)
  • ansible-tower: Privilege escalation flaw allows for organization admins to obtain system privileges (CVE-2018-1101)
  • ansible-tower: Remote code execution by users with access to define variables in job templates (CVE-2018-1104)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Simon Vikström for reporting CVE-2018-1104. The CVE-2018-1101 issue was discovered by Graham Mainwaring (Red Hat).

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat CloudForms 4.5 x86_64

Fixes

  • BZ - 1489507 - Simultaneous service catalog request do not honour quotas
  • BZ - 1496902 - Can add ansible tower provider without validation
  • BZ - 1500951 - Can't Save Role when Enabling All Product Features for Ansible folder of a CloudForms Role
  • BZ - 1511030 - Updates to RHEV Host Causes Duplicate Names in CloudForms
  • BZ - 1526156 - Can't configure Red Hat Dropbox for logs in a global region when a sub-region has one already configured
  • BZ - 1531499 - Automation->Ansible is visible for multiple roles when it should not be
  • BZ - 1532272 - Catalog dynamic element entry point selection is cached and does not allow selection
  • BZ - 1533082 - Reset tag: Flash message duplication
  • BZ - 1535369 - Cloud Subnet create form - 'Cloud Subnet details' title displayed twice, 'Placement' title (section) missing
  • BZ - 1536684 - Tooltip on retire button blocks the click of options
  • BZ - 1537132 - Miq Server leaks memory and we fail to detect and remediate it
  • BZ - 1540579 - Deployment roles are missing on CFME 5.8.3.2 over RHOS 12
  • BZ - 1541341 - Gettext strings should not contain interpolations
  • BZ - 1541427 - Tag assignment: 'Reset' button doesn't work for vms, templates
  • BZ - 1541700 - RHOS 12: Infra provider scale down is broken
  • BZ - 1544488 - [UI][RHOS] - remove Edit and Delete actions when in the SDN list view
  • BZ - 1549626 - webui updates failing when a proxy is required
  • BZ - 1549723 - WebUI: Tool tip displays html code while setting the ownership for multiple vm's
  • BZ - 1549833 - cpu_usagemhz_rate_average is 0 for RHV 4 VMs
  • BZ - 1550116 - Subscription page fails when a remote database is down
  • BZ - 1550276 - Getting Couldn't find MiqTask Errors in evm.log
  • BZ - 1550715 - Stored C&U "CPU (Mhz)" values for RHV VMs are incorrect (too high) by a factor of two
  • BZ - 1550729 - Replication configuration page does not open when child database is down
  • BZ - 1550732 - [Ansible Embedded] - Embedded Ansible cannot be enabled on IPv6 only appliance
  • BZ - 1550737 - unable to view quotas without manage quota permissoin being enabled in 5.8.2
  • BZ - 1551627 - Automate code from git does not work for repositories without master
  • BZ - 1551693 - internal server error ActiveRecord::AssociationTypeMismatch when editing current_group
  • BZ - 1551697 - Colons are unhandled in BaseModel key generation in AzureArmrest
  • BZ - 1551699 - Not possible to configure GCE provider for new regions (southamerica-east1) on CFME
  • BZ - 1552135 - Openstack refresh fails if it finds non-public flavors
  • BZ - 1552233 - [RFE] Ability to select OpenStack External external network during the instance provisioning
  • BZ - 1552780 - Adding floating IP from OSP do not enforce tenancy limits
  • BZ - 1552891 - Tagging: Edit tags page doesn't open for network list items navigated through parent details page
  • BZ - 1552905 - The accordion folds after adding a schedule
  • BZ - 1553225 - Set Ownership can not be changed back to default
  • BZ - 1553249 - UI: Same icon used for multiple options on Cloud Tenants page
  • BZ - 1553308 - Undefined method `vmm_version' for nil:NilClass on VM summary screen
  • BZ - 1553331 - Using webmks console one cannot type correctly the password when it contains special characters
  • BZ - 1553337 - Default view settings fails for service catalogs
  • BZ - 1553364 - Add miqssh utilities
  • BZ - 1553465 - Enhance credential missing msg/behavior for VMRC console access
  • BZ - 1553473 - Region size of 10,000 Objects Supportable for VMware Provider
  • BZ - 1554533 - Schedule report fails to send mail when report is not empty
  • BZ - 1554543 - Long time to refresh network provider on OpenStack
  • BZ - 1554900 - when deleting an archived node using configure > remove a unknown method error is raised
  • BZ - 1555487 - Dynamic Dropdown Multiselect: By default selects an element
  • BZ - 1556814 - symbol conversion error while detaching disks from an openstack instance
  • BZ - 1557025 - [RFE] Amazon provider - Allow user to enable and disable instance_types
  • BZ - 1557130 - CVE-2018-7750 python-paramiko: Authentication bypass in transport.py
  • BZ - 1558032 - internal server error when accessing the "policy_events" attribute of the "vms" resource
  • BZ - 1558039 - AWS flavor list is out of date
  • BZ - 1558047 - OpenStack - Include Provider Error Message in MiqProvisionFailure
  • BZ - 1558076 - Fix WebMKS/VNC console connectivity
  • BZ - 1558595 - No event AWS_EC2_Instance_UPDATE when renaming a VM on EC2
  • BZ - 1558622 - RedHat domain can be edited/deleted
  • BZ - 1559551 - Regression Instance Method check_quota Throws Error 5.8.2 to 5.8.3 undefined method provisioned_storage
  • BZ - 1559553 - Api::ServiceCatalogsController timeout error in multi-regional environment
  • BZ - 1560097 - Error occurs when trying to edit a catalog item
  • BZ - 1560099 - Outgoing SMTP E-mail Server settings not saved on first attempt
  • BZ - 1560693 - Stop CF pestering OpenStack for Swift status when there is no Swift.
  • BZ - 1561077 - Duplicate RBAC Role and Group names allowed when using different capitalization from the original name
  • BZ - 1562773 - tenant source_id compromisation after changing provider credentials
  • BZ - 1562775 - Approval permissions are not followed between different groups
  • BZ - 1562798 - CFME - usage of non standard special characters (e.g. accents) in password causes user is not able to login
  • BZ - 1563492 - CVE-2018-1101 ansible-tower: Privilege escalation flaw allows for organization admins to obtain system privileges
  • BZ - 1563721 - Differencing Disk on Network Drive Fails Smartstate if initial disk on Local DRive.
  • BZ - 1563741 - ReconfigVM Event triggers a refresh_sync Holding Automate Process in State Machine
  • BZ - 1564264 - Openstack::NetworkManager Refresh failed [NoMethodError]: undefined method `[]='
  • BZ - 1564454 - [Regression] Unexpected error while opening Cloud Intel Timelines
  • BZ - 1565157 - Unable to see realtime data from OpenShift in CloudForms UI
  • BZ - 1565162 - Ansible playbook credentials always show default value in SUI
  • BZ - 1565169 - openstack provisioning instance fail on checkprovisioned
  • BZ - 1565248 - Service Template Provision Task Failing When Picked Up by Appliance in Wrong Zone
  • BZ - 1565342 - [Azure]Provision Multiple VMs with Public IP selection options
  • BZ - 1565358 - [RHV] VM Reconfigure: Down VM Memory increase fail on cannot exceed maximum memory
  • BZ - 1565362 - SSA fails if disk has empty partitions in the beginning
  • BZ - 1565364 - Smartstate on Azure Managed Linux Instance returns Unable to mount filesystem. Reason:[XFS::DirectoryDataHeader: Invalid Magic Number 0]
  • BZ - 1565365 - Unable to perform SSA if Vm storage is fileshare on SCVMM and throws error in evm.log
  • BZ - 1565366 - VMware Edit provider has Host Default VNC start and End Port options, but Add Provider does not
  • BZ - 1565389 - Automate tree in the left pane has duplicates following any copy operation (instance, class, namespace)
  • BZ - 1565403 - Creating buttons under the Datastore objects do not appear on Datastore Details Pages
  • BZ - 1565414 - Total matches of Ems Cluster roles showing wrong count
  • BZ - 1565678 - Container reports take too much time to generate
  • BZ - 1565724 - vm reconfigure when quota enabled gets stuck in 'pending' state
  • BZ - 1565760 - Automate: customize_request method in Redhat domain incorrect sets security_group value in options hash
  • BZ - 1565835 - Role inconsistency with privileges when creating reports and setting chargeback filters
  • BZ - 1565862 - CVE-2018-1104 ansible-tower: Remote code execution by users with access to define variables in job templates
  • BZ - 1566256 - DRb 'close' error for closed connection
  • BZ - 1566528 - Reporting worker exceeding threshold for default report tied to custom widget
  • BZ - 1566746 - Dropdown to delete a "not responding" server is missing
  • BZ - 1567983 - Middleware Provider Timelines Typo in Policy Events->Middleware Operation Description 'Tagret'
  • BZ - 1568016 - notifications do not get cleared from the notification table
  • BZ - 1568042 - CloudForms: Unable to perform "Exit Maintenance Mode" task of VMware host
  • BZ - 1568045 - Control->Explorer is visible for evmgroup-security role
  • BZ - 1568084 - Default Container Image Rate can be deleted
  • BZ - 1568159 - User Interface does not come up after reboot
  • BZ - 1568168 - Moving widgets to the bottom of a column fails
  • BZ - 1568576 - Deployment template validation failed
  • BZ - 1568603 - Git repo automate datastore refresh timing out upon credential change
  • BZ - 1569079 - Getting Forbidden exception after ordering the service by non-admin user.
  • BZ - 1569100 - Orphaned and Archived VMs displayed in running vms filter
  • BZ - 1569104 - Online VMs (Powered On) report lists Orphaned and Archived VMs/Instances
  • BZ - 1569118 - Apache Reloaded twice with logrotate
  • BZ - 1569127 - We cannot backdate the schedule once you schedule it
  • BZ - 1569171 - Help Documentation is only visible to users with super admin role
  • BZ - 1569179 - ERROR : 404 when trying to set the retirement date of the service
  • BZ - 1569230 - Missing Guest OS in dashboard reports in Openstack
  • BZ - 1569237 - [UI] - ManageIQ string in PDF summary file for flavors
  • BZ - 1569241 - Tagging: Edit tags page doesn't open for images opened from provider summary page
  • BZ - 1570060 - [RFE] Metrics for memory usage of AWS instances is missing from C&U
  • BZ - 1570951 - Service and VM retirement are non-deterministic, running parallel
  • BZ - 1570990 - Service Catalog Item Subtype not rendered in UI
  • BZ - 1571311 - Unable to select storage manager from drop down list through classic UI
  • BZ - 1572621 - RHSM failing to register with proxy settings
  • BZ - 1572719 - Provider Inventory worker vim.log fills up due to large log messages
  • BZ - 1573540 - Dashboard widget is not providing exact content due to Type conversion Exception.
  • BZ - 1574155 - Refresh Failing for VMware VIM object is too large
  • BZ - 1574571 - OSPD 12 Undercloud - Infrastructure Provider refresh failed
  • BZ - 1574615 - [RFE] make available tags defined on the azure side on azure objects to cloudforms for reports
  • BZ - 1576101 - total costs no longer showing in any chargeback report if they are the only columns in the report
  • BZ - 1578575 - RHOSP11 metric collection stuck with error: Fog::Metric::OpenStack::NotFound
  • BZ - 1578853 - Compliance check is greyed out under VM summary screen when VM is selected but not when you click on the VM.
  • BZ - 1578866 - Error upon successful SAML login when username contains capital letters
  • BZ - 1581387 - Dynamic dropdown doesn't refresh correctly
  • BZ - 1583711 - Unexpected Error when accessing SERVICE -> REQUESTS (undefined method find_tags_by_grouping)
  • BZ - 1583790 - UI Worker Exceeding Memory Trying to View Hosts for VMware Provider
  • BZ - 1584187 - CPU Utilization report graph shows dates on x axis in random order
  • BZ - 1584688 - refresh_target_for_ems is not running in one of our environments
  • BZ - 1589834 - [RFE][XS-2] Add possibility to unregister a VM in RHV provider

CVEs

  • CVE-2018-1101
  • CVE-2018-1104
  • CVE-2018-7750

References

  • https://access.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat CloudForms 4.5

SRPM
ansible-2.4.4.0-1.el7ae.src.rpm SHA-256: b08063b8a8b221d7fe97ad47e092aa4d4aeea485c6454c9b91e7fcffe21d78d6
cfme-5.8.4.5-1.el7cf.src.rpm SHA-256: 41f8e9bc3c4295278dc4066a74ac677951871fc73904dbb5502e7a2841159269
cfme-appliance-5.8.4.5-1.el7cf.src.rpm SHA-256: 5fe601dc2de7489e83b88e64515c0f5ef6f73f9a943e2365a1374d982b0c3fe2
cfme-gemset-5.8.4.5-1.el7cf.src.rpm SHA-256: d0adc44103f9a2c7649d1b40b0d58dac4bd26a843b4b10bfa7901ef4262bcb98
python-paramiko-2.1.1-4.el7.src.rpm SHA-256: 43ba21a7cbfc99918164c9dee8e2c2ece5915b421834a00474d2bfbeb3d748b7
rh-ruby23-rubygem-json-2.1.0-1.el7cf.src.rpm SHA-256: 7eee6c492b240d5ab5b5d61af400a48217e7c858625361f3edef7d373e141260
x86_64
ansible-2.4.4.0-1.el7ae.noarch.rpm SHA-256: 04b4ae3d042246fae073db5678490fdd9e88eeb0af36fe3903563bff1e0b24d6
ansible-tower-server-3.1.7-1.el7at.x86_64.rpm SHA-256: 52aa6bd1dc89e20cf28f3ac8616a1fbb5863f90a53d5e223a0f095ca863c2a2f
ansible-tower-setup-3.1.7-1.el7at.x86_64.rpm SHA-256: a272a928ec6f31b391f65f608b96f5926d0408e1cad8f0509965f08e9fed3ed9
cfme-5.8.4.5-1.el7cf.x86_64.rpm SHA-256: 5e946c5b8111b1ba775843dd8f575300919e1b21e24d3bc1f459c3fe206d876e
cfme-appliance-5.8.4.5-1.el7cf.x86_64.rpm SHA-256: b6a6c2240d628ff6bace9f03d1b151692d8caf3258789247ea468dc737efcd60
cfme-appliance-debuginfo-5.8.4.5-1.el7cf.x86_64.rpm SHA-256: 51b2c955a1b5ed2cc52037ddbbcfc41f2d7a9a17514f18891543eff3874b4f16
cfme-debuginfo-5.8.4.5-1.el7cf.x86_64.rpm SHA-256: c3adaa5089b9b8d879bed6e6d540c51b2b17b514afff3674ffcb00761362a1b3
cfme-gemset-5.8.4.5-1.el7cf.x86_64.rpm SHA-256: 1e3e1a3105b6e7d38608029447b2889411473f7caf115156df4a19260693e41b
python-paramiko-2.1.1-4.el7.noarch.rpm SHA-256: 461375b1b458818f5b5893aefac09fbf39cd651c081e63479915b8ffa33a72cc
python-paramiko-doc-2.1.1-4.el7.noarch.rpm SHA-256: 4abfc94c371f6fb64761ad9616522bfbab10091dc60cc0513f2496b70a883d36
rh-ruby23-rubygem-json-2.1.0-1.el7cf.x86_64.rpm SHA-256: 0011cff555a196aecca0563ecf27156155d8a4369f7fd155b871bee10d15ad07
rh-ruby23-rubygem-json-debuginfo-2.1.0-1.el7cf.x86_64.rpm SHA-256: 0d0c56ec62c4c2e05114c0a2c33436a61db09514cd3d861048b6aa5e37994f43
rh-ruby23-rubygem-json-doc-2.1.0-1.el7cf.x86_64.rpm SHA-256: be9cf669e54cf32ec4f7dc8c4a00ae34bc408027887e47109f6c04e0b2e2fb23

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility