Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2019:2587 - Security Advisory
Issued:
2019-09-05
Updated:
2019-09-05

RHSA-2019:2587 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: CloudForms 4.7.9 security, bug fix and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for CloudForms Management Engine 5.10.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

Security Fix(es):

  • cloudforms: stored cross-site scripting in Name field (CVE-2018-10854)
  • js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted after installing this update. After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

  • Red Hat CloudForms 4.7 x86_64

Fixes

  • BZ - 1590538 - CVE-2018-10854 cloudforms: stored cross-site scripting in Name field
  • BZ - 1677580 - Bump oVirt Ansible roles included in the Appliance to latest released
  • BZ - 1701972 - CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection
  • BZ - 1733376 - Custom Button: button with dialog on Container Provider after execution lands on Infrastructure Providers page
  • BZ - 1737123 - Cloud Intel > Reports not accessible with 503 service unavailable
  • BZ - 1737618 - Cloud volumes are missing on Relationships of cloud provider summary view
  • BZ - 1738266 - Child tenant users unable to load 'Compute > Infrastructure > Virtual Machines > VMs'
  • BZ - 1740227 - Unexpected error while performing operations on vm listed under cluster
  • BZ - 1740228 - subscriptions disappear after saving changes
  • BZ - 1740229 - Validation failed: MiqSchedule: Name has already been taken
  • BZ - 1740230 - Cloud Tenant Placement is ignored in Add New Network Router for OpenStack Network Manager
  • BZ - 1740767 - Targeted refresh does not occur for openstack
  • BZ - 1740769 - Title of the ansible playbook method's edit page is incorrect
  • BZ - 1740844 - Refresh of a dynamic field will hang if the name of the field contains word “password”
  • BZ - 1741634 - [RFE] - OpenStack provider is incorrectly listing all the key pairs
  • BZ - 1741635 - Unable to view AWS keypair list as tenant_administrator
  • BZ - 1741944 - Custom Button: button with dialog on storage manager after execution lands on wrong page
  • BZ - 1741945 - Custom Button: button with dialog on Network Manager after execution lands on Infrastructure Providers page
  • BZ - 1743266 - Fatal error Couldn't find Service with id for DRO button

CVEs

  • CVE-2018-10854
  • CVE-2019-11358

References

  • https://access.redhat.com/security/updates/classification/#moderate
  • https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.7/html/release_notes
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat CloudForms 4.7

SRPM
cfme-5.10.9.1-1.el7cf.src.rpm SHA-256: a8d63e9d292faf4e59e335f614e7e78e8d13a063840357fc61456d77f1a41127
cfme-amazon-smartstate-5.10.9.1-1.el7cf.src.rpm SHA-256: 52c12ad207e4aba057e83f483118ec8bd402a0dc3970070dc54b3dada4fddd81
cfme-appliance-5.10.9.1-1.el7cf.src.rpm SHA-256: 803faaefd9edf8cc57b0b39ff8744da61d5ea1bf01c3c463d6f310f4a4717d08
cfme-gemset-5.10.9.1-1.el7cf.src.rpm SHA-256: 6430fcaab0cedfd2ec2208af1fd50c557ff2ef9ec6607137af40ffc0d086e031
ovirt-ansible-hosted-engine-setup-1.0.23-1.el7ev.src.rpm SHA-256: 0560c2ccd13bbbd0916bfffc450b1e1d62796416985537b554cfed2d05aca90d
ovirt-ansible-roles-1.1.7-1.el7ev.src.rpm SHA-256: e817f0a7594576ce77ba80636b6ac8a9a0849d1fe929f911bab347ac992d0904
ovirt-ansible-vm-infra-1.1.19-1.el7ev.src.rpm SHA-256: 26454f9a5797cec6ef49679143640a0b89517c124eb6ab08fc904c986410eaaf
v2v-conversion-host-1.14.2-1.el7ev.src.rpm SHA-256: 5564c6d4841248540a2a9e4865f99c58d5dc89e885d82576f9481dc565b06bf9
x86_64
ansible-tower-3.5.2-1.el7at.x86_64.rpm SHA-256: 74e02e1ca599175972ca8866953e5a2079c0aaf7ed494e88062fb3fd3da07176
ansible-tower-server-3.5.2-1.el7at.x86_64.rpm SHA-256: 6545e9455fb21c231e0d6703d5192ae8c242d32b043bce31dd145f77d70c5ab8
ansible-tower-setup-3.5.2-1.el7at.x86_64.rpm SHA-256: 5f5934c909093731773d97b381793b095e9358e9e57df2d5da586de5587f7d92
ansible-tower-ui-3.5.2-1.el7at.x86_64.rpm SHA-256: f006ba053f2cc4aacbaef45c2e3776d9b9c8849e9b0ee7d351ef668a83d95174
ansible-tower-venv-ansible-3.5.2-1.el7at.x86_64.rpm SHA-256: ade805ec2b0e365c4f4b0e1425323acb18171027d9f24378a36418b1c1f2038a
ansible-tower-venv-tower-3.5.2-1.el7at.x86_64.rpm SHA-256: 0ad0df8cd5d0743a9b6466e9898446ec75b37e8d4e2b0076c155de0faab74eb5
cfme-5.10.9.1-1.el7cf.x86_64.rpm SHA-256: 0d3747548f55e86844da693a531720862d7b15eaddea6f59eca40d8133919e38
cfme-amazon-smartstate-5.10.9.1-1.el7cf.x86_64.rpm SHA-256: 13996fa5dcb0019dfeb72510e9b8457a234a16c95e42fe04533b5a99c49ef6be
cfme-appliance-5.10.9.1-1.el7cf.x86_64.rpm SHA-256: 33e254d54e723527a822257e142ed8bf11392447e11dcdf4fe2579f97b3697d6
cfme-appliance-common-5.10.9.1-1.el7cf.x86_64.rpm SHA-256: a210107df86e50335b2d5b3336980dcace035996238e55d53d86b8350502a563
cfme-appliance-debuginfo-5.10.9.1-1.el7cf.x86_64.rpm SHA-256: b5ddc3f2113af138f2ccba58bc5f65219344c6640a15dffc0f03581b1ac2fd2d
cfme-appliance-tools-5.10.9.1-1.el7cf.x86_64.rpm SHA-256: 96f6bcde19b356d04c91c7adfc0e63a9abe3aed039e5f586d52d1d36074f3dd7
cfme-debuginfo-5.10.9.1-1.el7cf.x86_64.rpm SHA-256: 8265b2bde3e9a75f13e026ffe14ced4611d9b08f87f390ed28872768c7453e00
cfme-gemset-5.10.9.1-1.el7cf.x86_64.rpm SHA-256: faf9fb0a4fb23668aa89f3ae407533ae3244de519ee553af38c5a78d992cafd4
cfme-gemset-debuginfo-5.10.9.1-1.el7cf.x86_64.rpm SHA-256: 917d2c8b8c0c235b8c1c294d89a5a2a8975e2178151083468547fdbc6d10a9a6
ovirt-ansible-hosted-engine-setup-1.0.23-1.el7ev.noarch.rpm SHA-256: 67e50240205e456935cd8a4ae99b3f329d4807fa7d01ef01e556a2a26caac224
ovirt-ansible-roles-1.1.7-1.el7ev.noarch.rpm SHA-256: 2a67147b85266d795df43c91d6e3cceb2be0e5e3aa4123d1c7ae117e34bac235
ovirt-ansible-vm-infra-1.1.19-1.el7ev.noarch.rpm SHA-256: f6ac7316a45a3f20228f06c346ed8c2bb36e0e4040d7f644ac39368ff4a1274e
v2v-conversion-host-ansible-1.14.2-1.el7ev.noarch.rpm SHA-256: 5ad9d54ffc6aec70061cb3cc5c6f541b9943da7ca4f9985681b0ad3f0dcdfc95
v2v-conversion-host-wrapper-1.14.2-1.el7ev.noarch.rpm SHA-256: 3e172a3b272c5e7651102ab6d03577dcdf9c4ce1df4f38bea4ace29efd12886b

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility