RHSA-2020:3358 - Security Advisory

Topic

An update is now available for CloudForms Management Engine 5.11.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

Security Fix(es):

• cfme: CloudForms: CSV Injection in Orchestration Templates (CVE-2020-10780)
• cfme: CloudForms: Server-Side Request Forgery (SSRF) in Ansible Tower Provider (CVE-2020-14296)
• cfme: CloudForms: Out-of-band OS Command Injection through conversion host (CVE-2020-14324)
• cfme: CloudForms: User Impersonation in the API for OIDC and SAML (CVE-2020-14325)
• cfme-gemset: CloudForms: Cross Site Scripting in report menu title / HTML Code Injection (CVE-2020-10777)
• cfme-gemset: CloudForms: Business logic bypass through widgets (CVE-2020-10778)
• cfme-gemset: CloudForms: Missing functional level access control & IDOR lead to compromise (CVE-2020-10779)
• cfme-gemset: CloudForms: Missing access control leads to escalation of admin group privileges (CVE-2020-10783)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Purnachand Pulahari (IBM) and Ranjit Kumar Singh (IBM) for reporting CVE-2020-10777, CVE-2020-10778, CVE-2020-10779, CVE-2020-10780, CVE-2020-10783, CVE-2020-14296 and CVE-2020-14324. CVE-2020-14325 was discovered by Alberto Bellotti (Red Hat).

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted after installing this update. After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

• Red Hat CloudForms 5.11 x86_64

Fixes

• BZ - 1671330 - [RFE] Support for disk resize on RHV
• BZ - 1713212 - In service order page it show the default value even though its not selected in dialog
• BZ - 1734629 - [RFE] set_stats - Support object update using playbook set_stats naming convention
• BZ - 1734630 - [RFE] set_stats - Support setting service_var from set_stats with naming convention
• BZ - 1741310 - "Add a provider" button for Ansible Tower provider disappears after clicking item in accordion
• BZ - 1753586 - Imported System Domains can not be deleted in CloudForms
• BZ - 1757128 - [RFE] Support Events from Service Telemetry Framework in OSP 16.1
• BZ - 1770197 - Upload custom image for service catalog items via API fails.
• BZ - 1809033 - [RFE] Create virt-v2v-wrapper state file as early as possible
• BZ - 1810040 - Migration progress status in virt-v2v-wrapper.log gets skipped
• BZ - 1810477 - The UI to create an embedded Ansible service allows for invalid combinations of options
• BZ - 1826410 - Build of rugged doesn't allow for SSH auth
• BZ - 1832278 - remove public pool while configuring NTP settings
• BZ - 1834219 - Unable to edit service dialogs
• BZ - 1836125 - User not able to view Ansible Service task output after upgrade to 5.0
• BZ - 1836158 - the url setting for ui is nil in central region if set to https in a sub region
• BZ - 1837993 - [RFE] Ability to order a request based on the previous one.
• BZ - 1838704 - [RFE] Add ability to select all the projects under a specific tenant while creating a Catalog item
• BZ - 1839770 - Retirement of a vm from central region fails with "invalid system authentication token specified"
• BZ - 1845281 - EmbeddedAnsible UI doesn't allow for file:// git urls
• BZ - 1846281 - deadlock errors updating and reindexing miq_workers table on 5.11.5
• BZ - 1847410 - Waiting for IP address is very long after migration
• BZ - 1847605 - CVE-2020-10777 CloudForms: Cross Site Scripting in report menu title / HTML Code Injection
• BZ - 1847628 - CVE-2020-10778 CloudForms: Business logic bypass through widgets
• BZ - 1847647 - CVE-2020-10779 CloudForms: Missing functional level access control & IDOR lead to compromise
• BZ - 1847794 - CVE-2020-10780 CloudForms: CSV Injection in Orchestration Templates
• BZ - 1847811 - CVE-2020-10783 CloudForms: Missing access control leads to escalation of admin group privileges
• BZ - 1847860 - CVE-2020-14296 CloudForms: Server-Side Request Forgery (SSRF) in Ansible Tower Provider
• BZ - 1847884 - [v2v] Failed to enable conversion host - failure: "No package nbdkit-plugin-python2 available"
• BZ - 1847898 - [v2v] Conversion host enable playbook looks for vddk version 7 while version 6.7 was provided
• BZ - 1848265 - Provider Refresh fails for OpenStack with error 'no implicit conversion of nil into String'
• BZ - 1850952 - [v2v] "TypeError: cannot use a bytes pattern on a string-like object" when running conversion host enable playbook
• BZ - 1855713 - CVE-2020-14324 CloudForms: Out-of-band OS Command Injection through conversion host
• BZ - 1855739 - CVE-2020-14325 CloudForms: User Impersonation in the API for OIDC and SAML

CVEs

• CVE-2020-10777
• CVE-2020-10778
• CVE-2020-10779
• CVE-2020-10780
• CVE-2020-10783
• CVE-2020-14296
• CVE-2020-14324
• CVE-2020-14325

References

• https://access.redhat.com/security/updates/classification/#critical
• https://access.redhat.com/documentation/en-us/red_hat_cloudforms/5.0/html/release_notes