RHSA-2019:4201 - Security Advisory

Topic

An update is now available for CloudForms Management Engine 5.11.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

Security Fix(es):

• cfme: rubygem-rubyzip denial of service via crafted ZIP file (CVE-2019-16892)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted after installing this update. After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

• Red Hat CloudForms 5.11 x86_64

Fixes

• BZ - 1713400 - [RFE] Cloud Key pair don't have relationships with owner and group that build this key
• BZ - 1730066 - Unable to view AWS keypair list as tenant_administrator
• BZ - 1747179 - [Regression] [ActionView::Template::Error] undefined method `tenant_group?' while setting ownership for key pairs
• BZ - 1767548 - Remove .py extension from calls to virt-v2v-wrapper
• BZ - 1767549 - Run the preflight check of migration task before waiting for a conversion host
• BZ - 1767550 - [RFE] Add ability to remove all snapshots asynchronously
• BZ - 1767645 - [RFE] Hide the Configuration -> Database screen
• BZ - 1767646 - Unassigned buttons of a Service shows when its Catalog Item has custom buttons
• BZ - 1767647 - Unable to access "Automate/Requests" tab for a role without exposing "Service/Requests"
• BZ - 1767648 - Server Error (API) when creating Orchestration Template with duplicate content
• BZ - 1767656 - [Regression] Unable to capture memory metric from Azure instances
• BZ - 1767659 - Chargeback report preview fails
• BZ - 1767660 - Service Requests Requester dropdown not sorted
• BZ - 1767774 - appliance_console_cli returns 0 on failure
• BZ - 1767775 - [RFE] Add AWS Bahrain region to CFME
• BZ - 1767776 - [RFE] - Update Host/Node filter to reflect supported versions of ESX
• BZ - 1767777 - Typo on list of Host/Nodes global filters -- Status / Orphaned
• BZ - 1767783 - [RFE] Dis-allow the addition of ESX hosts directly
• BZ - 1767784 - Unable to receive "generalize" event from Azure after generalizing an instance
• BZ - 1767786 - API should not declare HTTP DELETE verb on pxe_servers collection
• BZ - 1767788 - The UI warning about RSA is deprecated and not true anymore.
• BZ - 1767789 - Passwords stored in variables(extra_vars) are visible in clear text in the Appliance evm.log
• BZ - 1767790 - there are exceptions "rescue in type_cast" in logs in global and remote region appliances
• BZ - 1767791 - Chargeback reports not working
• BZ - 1767796 - Add support for VM conversion host in RHV
• BZ - 1767809 - UI crashes when going to Details of Azure Network Port somehow associated to Load Balancers
• BZ - 1767810 - Traceback when clicking on Overview > Chargeback > Reports
• BZ - 1767811 - [RHV] Last Boot Time is "N/A" for VM if you shutdown guest
• BZ - 1767818 - [Regression] top_output.log only showing ruby and not the process names
• BZ - 1767819 - unable to remove duplicate guest devices due to memory
• BZ - 1767821 - [RFE] Remove list view button on my service sui page if there is no use of it
• BZ - 1767823 - [RFE] Generic Object builder tab cycle missing the add (commit) remove buttons
• BZ - 1767824 - multiple workers start the same retirement when retirement date is reached
• BZ - 1767833 - [UI] Erroneous behavior of spinner and spinner box in advanced search loading
• BZ - 1767834 - Refresh of OpenShift provider in CloudForms happen to panic apiserver
• BZ - 1767835 - Changing groups with a user assigned to multiple groups logs out of appliance
• BZ - 1767836 - Choice in Drop Down that References Category (Tag Control Item) is Incorrect
• BZ - 1767837 - [RFE] Automating the generation of widget content Via RESTAPI
• BZ - 1767880 - evm.log is full of error messages "cannot obtain exclusive access to locked queue"
• BZ - 1767881 - Host creds validation fails if host's ssh key has changed before
• BZ - 1767885 - [RFE] VMware guests are incorrectly marked as linked_clone true, remove attribute
• BZ - 1767886 - [RFE] custom service catalog icons being deleted are not actually deleted
• BZ - 1767895 - [NoMethodError]: undefined method `path' for nil:NilClass Method:[block (2 levels) in <class:LogProxy>] during scheduled NFS backup
• BZ - 1767896 - Lifecycle retirement fails for user that no longer has groups
• BZ - 1767901 - [RFE] automate method to delete a tag from a category
• BZ - 1768456 - Date picker takes a date previous to what is selected in the dialog
• BZ - 1768517 - [RFE] validate infra mappings
• BZ - 1768520 - [v2v] Ordering a migration plan, that contains MIGRATED VM/s, fails with an unclear error message.
• BZ - 1768525 - Remove Automate code for TransformationHost
• BZ - 1768530 - Add conversion host validation for config params
• BZ - 1768576 - Sporadic 404 Error when deleting custom button on generic object class
• BZ - 1768638 - [RFE] Import/export schedules to replicate on other sites
• BZ - 1771298 - CVE-2019-16892 cfme: rubygem-rubyzip denial of service via crafted ZIP file
• BZ - 1771737 - ping endpoint fails with "Error caught: [ActionView::MissingTemplate] Missing template ping/index"
• BZ - 1773666 - [RFE] Custom button: generic class level button deletion not showing a specific flash message
• BZ - 1773667 - Incorrect flash when custom button under generic object class is deleted
• BZ - 1775684 - Need the ability to configure the appliance for SAML using the appliance console CLI.

CVEs

• CVE-2019-16892

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/documentation/en-us/red_hat_cloudforms/5.0/html/release_notes