RHSA-2018:2184 - Security Advisory

Topic

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

Security fix(es):

• ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs (CVE-2018-10855)

Red Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for reporting these issues.

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in the
References section.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat CloudForms 4.6 x86_64

Fixes

• BZ - 1536677 - Simultaneous service catalog request do not honour quotas
• BZ - 1553227 - When editing ansible service catalog item the dialog radio button never appears
• BZ - 1553383 - [RFE] Switch default refresh to graph refresh for RHV provider
• BZ - 1553795 - [RFE] Move database maintenance to the application
• BZ - 1563745 - appliance console showing removed option db maintenance
• BZ - 1565845 - Service buttons do not attach $evm.root['service']
• BZ - 1565925 - The value that is selected in the drop down is not passed to the $evm.root
• BZ - 1566570 - If the external network provider is unavailable CFME network provider throws unfriendly exception
• BZ - 1569170 - Help Documentation is only visible to users with super admin role
• BZ - 1571303 - [Regression] Unexpected error while opening GCE details page
• BZ - 1572760 - OSPD 13 Undercloud - Infrastructure Provider Network Manager does not refreshed
• BZ - 1574154 - Refresh Failing for VMware VIM object is too large
• BZ - 1574569 - OSPD 12 Undercloud - Infrastructure Provider refresh failed
• BZ - 1575713 - Unable to access the Help Documentation page due to "Authorization Error"
• BZ - 1576099 - total costs no longer showing in any chargeback report if they are the only columns in the report
• BZ - 1577247 - ansible-tower-setup installs several new non-Red Hat yum repositories
• BZ - 1578121 - [RHV] SSA is not retrieving file information from VM on RHV
• BZ - 1578124 - Incorrect storage type size in openstack cloud reports
• BZ - 1578125 - Cloud Volume creation error does not raise VM provision error
• BZ - 1578126 - VMDB backup is failing perhaps due to uninitialized constant MiqServer::WorkerManagement::Monitor::Dalli
• BZ - 1578388 - RHOSP11 metric collection stuck with error: Fog::Metric::OpenStack::NotFound
• BZ - 1578393 - Improving the error message of provisioning a VM via rest api with wrong vlan value
• BZ - 1578394 - openstack chargeback based on chargeback per vm does not show storage costs by storage types correctly
• BZ - 1578398 - Openshift container retirement
• BZ - 1578400 - Cannot create or edit report secondary (display) filter
• BZ - 1578856 - Compliance check is greyed out under VM summary screen when VM is selected but not when you click on the VM.
• BZ - 1578865 - Error upon successful SAML login when username contains capital letters
• BZ - 1578954 - Submit/Cancel buttons are not displayed on custom button dialogs for some service types
• BZ - 1578957 - Unable to restore database to any ha node in a cluster
• BZ - 1578964 - Create Volume failed: undefined method `my_zone'
• BZ - 1578972 - [QEDevCollab] C&U: discrepancy in rounding of data for Graphs and Table causing automation failures
• BZ - 1578976 - [Regression][Embedded Ansible] Ansible Catalog Item can be created without the Dialog
• BZ - 1578986 - "Choose" should be shown in 'tag control' dropdown default value , instead blank is shown.
• BZ - 1578990 - SUI does not show custom button dialog
• BZ - 1578996 - [RHV] When Graph refresh is ON, RHV provider refresh time is longer
• BZ - 1580520 - Adding interface to a router cause Unexpected error
• BZ - 1580535 - Refresh of a second dynamic dialog does not update the hash passed to $evm.object['values'] when another dialog is referenced
• BZ - 1581287 - [RHV] VM snapshot removal cause failure in RHV provider refresh
• BZ - 1581307 - When using dynamic multi select dialog elements the first element is always selected even if nil default is specified and it does not show up as selected in UI
• BZ - 1581386 - Dynamic dropdown doesn't refresh correctly
• BZ - 1583704 - default selection of dropdown list is not displayed properly but still taken into account
• BZ - 1583710 - Unexpected Error when accessing SERVICE -> REQUESTS (undefined method find_tags_by_grouping)
• BZ - 1583777 - VMware vCloud Provider's vApp Provisioning Reports Error When vApp Powered Off
• BZ - 1583779 - Tagging Ansible: Incorrect tag page opened for playbooks navigated through repository page
• BZ - 1583784 - xClarity: Wrong credentials and last refresh status when execute refresh cycle against a provider with invalid credentials
• BZ - 1583786 - chargeback reports based on vms with tags assigned show no records on generation
• BZ - 1583788 - UI Worker Exceeding Memory Trying to View Hosts for VMware Provider
• BZ - 1583851 - Ansible Job Times out at 300 seconds causing Automate State Machine to Fail
• BZ - 1584186 - CPU Utilization report graph shows dates on x axis in random order
• BZ - 1584296 - VMware vCloud Provider's Provisioning dialog should be split in three tabs
• BZ - 1584406 - prov.set_vlan() method didn't set the vnicprofiles identifier
• BZ - 1584687 - refresh_target_for_ems is not running in one of our environments
• BZ - 1584699 - VMware vCloud Provider's VM should support hardware reconfigure
• BZ - 1585709 - Service dialog targeted element refresh is refreshing targeted items 22 times
• BZ - 1585745 - automation executed on field refresh are called twice in self service dialogs
• BZ - 1585821 - C&U data collection fails for GCE in 5.9
• BZ - 1586213 - Notification events are out of order
• BZ - 1588038 - RHV Snapshots: Reverting to "Active VM" throws "Cannot preview Active VM snapshot" in evm.log
• BZ - 1588042 - vm.hardware.nics[0].lan nil for RHV VMs
• BZ - 1588855 - CVE-2018-10855 ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs
• BZ - 1589837 - unable to export all service dialogs
• BZ - 1590346 - 400 Bad Request: When custom button used from infra provider object type with method and dialog both attached
• BZ - 1590353 - dropdown changed from dynamic to static won't hold values
• BZ - 1590426 - [Embedded Ansible] Service Details Page has duplicate tabs
• BZ - 1590430 - [RFE] Create a built-in policy to prevent source VM from starting if transformation is complete.
• BZ - 1590846 - [RFE] create database.yml when creating a dedicated database to allow local migrations when upgrading
• BZ - 1591422 - Proxy Error when performing advanced search
• BZ - 1591423 - Physical Infrastructure Compliance Policies don't have default event
• BZ - 1591425 - reading a dialog element from another dialog dynamic element fails until refreshing the dynamic element that reads the other dialog element
• BZ - 1591427 - Slow performance with displaying catalog order dialog
• BZ - 1591429 - CloudForms not collecting node level data from OpenShift
• BZ - 1591450 - unable to migrate from 5.6 to 5.9 due to to a database validation error
• BZ - 1591484 - Reconfigure service fields empty after deploying service
• BZ - 1591939 - Saved Report "2018-04-09 11:18:31 +03" not found, Schedule may have failed
• BZ - 1592414 - Not able to reconfigure VM
• BZ - 1592504 - [Regression] GCE provider refresh fails in CFME 5.9
• BZ - 1592852 - Grey background of grid view is styled differently in 5.9.2
• BZ - 1592913 - Changing number of UI Workers errors when using French or Japanese localization
• BZ - 1592973 - Domain prefix always included for Service Catalog Entry Points
• BZ - 1593677 - Chargeback scheduled report for the current month shows double rates and values as compared to previous one
• BZ - 1593684 - RHV provider full refresh fail on "undefined method `keys' for "<some guid>":String
• BZ - 1593797 - Lifecycle VM Provision and Publish VM to Template Unusable/Slow
• BZ - 1594027 - reports do not generate with timeout errors in logs
• BZ - 1594268 - Drop Down Dialog Does Not Honor the Order of Values as they are Inputted
• BZ - 1594275 - Users can see items which they don't have permissions/access to under services they own
• BZ - 1594324 - Must Refresh UI to see Correct Tags of Datastore of vCenter VMware Provider
• BZ - 1594386 - Unable to download largest chargeback report on production
• BZ - 1594831 - The specify host values textbox is limited to 50 characters
• BZ - 1594833 - User defined custom attributes are deleted by RHV targeted refresh
• BZ - 1594839 - RHV provider target refresh fail on "undefined method `cluster'", right after VM removal
• BZ - 1595324 - Cloudforms Automation not executing properly when multiple pods are created or killed in a short timeframe.
• BZ - 1595418 - Provisioning embedded ansible service dialog fails
• BZ - 1595734 - Regression Unable to Edit order of Drop Down List Entries when Editing Service Dialog
• BZ - 1596248 - Creating OpenStack Router with user in a Tenant should list shared external networks
• BZ - 1596249 - Normal user cannot select shared OpenStack network during VM provision
• BZ - 1596314 - Openstack Volume Snapshots are appearing when we try to provision a instance via Lifecycle.

CVEs

• CVE-2018-10855

References

• https://access.redhat.com/security/updates/classification/#moderate