RHSA-2018:3466 - Security Advisory

Topic

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

Security Fix(es):

• rubyzip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file (CVE-2018-1000544)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat CloudForms 4.6 x86_64

Fixes

• BZ - 1592571 - Service Dialog Editor localization in French Incomplete
• BZ - 1593001 - CVE-2018-1000544 rubyzip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file
• BZ - 1599349 - API with an invalid zone name kill the appliance
• BZ - 1603026 - Vim Performance States Table Causing Region to Lock up During a Vacuum
• BZ - 1607409 - The remote_ws_url value does not failover if the appliance is stopped, so "api_url" can be incorrect in an Ansible playbook
• BZ - 1607438 - Alerts do not trigger and do not send email notification
• BZ - 1608368 - Ansible Jobs Causing State Machine to Fail due to Inactivity Threshold Exceeding 0
• BZ - 1608770 - custom buttom page empty
• BZ - 1612905 - internal server error when cloud_tenants or flavors subcollection is requested on infra provider
• BZ - 1613333 - Couldn't find EmsFolder with 'id'
• BZ - 1613420 - OpenStack deletion gives problem
• BZ - 1615465 - Using database wildcard `%25` in VM queries causes exception, returns 500 to client
• BZ - 1618800 - Open URL Does Not Work When Using a DIalog with a Button
• BZ - 1618805 - CloudForms tries to collect metrics from OCP despite not being configured for it
• BZ - 1618807 - [RFE] Restore VM ownership and retirement during migration
• BZ - 1618808 - Migrations linking jobs and miq_tasks could take long time when upgrading to 5.9
• BZ - 1619431 - [v2v] Network Missing in Infra Mapping
• BZ - 1619654 - [v2v] Schedule Unschedule Migration does not seem to work correctly
• BZ - 1621441 - Change VMware URI to connect directly to ESXi
• BZ - 1621445 - Default Dashboard can't be updated
• BZ - 1621449 - Fix displaying disk type of a VM created from template and passing clone parameter to RHV
• BZ - 1622631 - reports using "group by" on date show a total column per vm instead of showing a total at the end of the report
• BZ - 1622652 - Service Retirement runs twice for direct service children
• BZ - 1623557 - virt-v2v Fails with IMS when Using AD Credentials for VMware Provider
• BZ - 1623559 - [RFE] Add state_machine_phase attribute to transformation state machines
• BZ - 1623560 - Dynamic Text Area and Text Box Elements Load Even Though Load on Init is not Marked
• BZ - 1623561 - displaying -Child Orchestration Stacks- throwing UI error
• BZ - 1623563 - unable to generate chargeback based on metering for vms with traceback in logs
• BZ - 1623565 - Add log messages to Chargeback
• BZ - 1623573 - unable to add disk to vm via rest-api vm reconfiguration on vmware [request backport from existing commit]
• BZ - 1623582 - Change in chargeback report logging output
• BZ - 1625249 - Read Action Forbidden When User Tries to Attach Cloud Volume OpenStack
• BZ - 1625323 - UI breaks when viewing instance details.
• BZ - 1625376 - Wrong timezone when selecting retirement time
• BZ - 1626143 - Storage Domain ignored on provisioning
• BZ - 1626219 - nuage refresh fails - undefined method `[]' ... security_groups
• BZ - 1626474 - Handle service retirement date in service dialog
• BZ - 1628348 - Update to Azure Government endpoint
• BZ - 1628657 - Unable to retry Embedded Ansible method in a state machine
• BZ - 1629089 - [RFE] Add more RAM options size to life cycle dialog
• BZ - 1629090 - [SSUI] Able to create snapshot with memory on powered down VM
• BZ - 1629094 - Make the checkbox column in the column view not click-able
• BZ - 1629121 - When a button is for 'single and list' or 'list' and has a visibility expression, the button does not display in the list view even when all VMs in the list meet the expression
• BZ - 1629124 - giving volume name shouldn't be mandatory in case of Openstack instance provisioning
• BZ - 1629125 - OSP domain user seen objects from other domain tenants
• BZ - 1629126 - [RFE] Add support to oVirt provider to set VM memory and CPU
• BZ - 1629127 - UI Monitor Alerts page is slow to load and when clicking on link it shows blank page with no alerts
• BZ - 1629129 - Cannot add Ansible Tower or refresh already added Ansible Tower
• BZ - 1629897 - Memory threshold set from Workers tab doesn't work
• BZ - 1630938 - Refactor restoring VM attributes during migration
• BZ - 1631557 - Unable to provision VM with "choose automatic option"
• BZ - 1631817 - Not able to access Openstack instance console from selfservice portal
• BZ - 1632769 - Triggered Refresh Still Occurs for Dialog After Changing Type to Static
• BZ - 1634032 - To be able to add and create reports, the edit report role is needed.
• BZ - 1634808 - Password hashes in Automate Log
• BZ - 1635038 - VMware vCloud Provider's vApp Provisioning Dialog Cannot be Submitted
• BZ - 1635764 - Power management via API falling into the wrong zone leading to permanently queued requests
• BZ - 1637035 - Add transformation utils methods
• BZ - 1637185 - [RHV] ISO provisioning fails with undefined SDK method
• BZ - 1637720 - Unable to see chargeback rate under rates accordion
• BZ - 1638684 - VMware vCloud Provider's vApp Service Cannot be Fully Retired
• BZ - 1639300 - Unable to perform chargeback assignments for compute
• BZ - 1639413 - When ordering a service via the API the service dialog is not executed
• BZ - 1639877 - Can't change Server's Zone
• BZ - 1641670 - [regression][Custom Button] Unexpected error encountered in infrastructure and datastore object type when method and dialog both attached
• BZ - 1641810 - undefined method `find_tagged_with' for #<Class:0x000000000b5e3228> [miq_request/show_list]

CVEs

• CVE-2018-1000544

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.6/html/release_notes