-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Important: CFME 5.7.3 security, bug fix and enhancement update Advisory ID: RHSA-2017:1601-01 Product: Red Hat CloudForms Advisory URL: https://access.redhat.com/errata/RHSA-2017:1601 Issue date: 2017-06-28 Cross references: RHSA-2017:0898 CVE Names: CVE-2016-4457 CVE-2016-7047 CVE-2017-7497 =====================================================================
1. Summary:
Updates for cfme, cfme-appliance, cfme-gemset, rh-ruby23-rubygem-nokogiri, and rh-ruby23-rubygem-ovirt-engine-sdk4 are now available for CloudForms Management Engine 5.7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
2. Relevant releases/architectures:
CloudForms Management Engine 5.7 - noarch, x86_64
3. Description:
Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
rh-ruby23-rubygem-nokogiri provides Nokogiri, which is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents using XPath or CSS3 selectors. rh-ruby23-rubygem-ovirt-engine-sdk4 provides the ruby SDK for the oVirt Engine API.
The following packages have been upgraded to a later upstream version: cfme (5.7.3.2), cfme-gemset (5.7.3.2), rh-ruby23-rubygem-nokogiri (1.7.2), cfme-appliance (5.7.3.2), rh-ruby23-rubygem-ovirt-engine-sdk4 (4.1.5). (BZ#1442774, BZ#1459319)
This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Technical Notes document linked to in the References section.
Security Fix(es):
* CloudForms includes a default SSL/TLS certificate for the web server. This certificate is replaced at install time. However if an attacker were able to man-in-the-middle an administrator while installing the new certificate, the attacker could get a copy of the uploaded private key allowing for future attacks. (CVE-2016-4457)
* The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant. (CVE-2017-7497)
* A flaw was found in the CloudForms API. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access. (CVE-2016-7047)
The CVE-2016-4457 and CVE-2016-7047 issues were discovered by Simon Lukasik (Red Hat) and the CVE-2017-7497 issue was discovered by Gellert Kis (Red Hat).
4. Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1322396 - [RFE] Allow for deletion of group when users belong to another group 1341308 - CVE-2016-4457 CFME: default certificate used across all installs 1350340 - Downloading the job templates of Anisble tower displays wrong data 1402992 - VM snapshot: revert option is enabled, for Active VM 1403358 - Add Provider->Type "RHEVM" should change to "RHV" 1414869 - VMRC is not working if IE compatibility mode is disabled 1419604 - [AnsibleTowerClient::ConnectionError]: Your license does not allow adding surveys 1428944 - Vulnerable JQuery Version 1430468 - Parent tenant displayed in list view when allowed by RBAC 1434152 - [RFE] Support for custom Amazon Regions in Provider 1434952 - delete action in /api/orchestration_templates results in error 1436074 - Back/Cancel buttton is missing on host drift comparison page 1436222 - The option of VM migration to the same host it is already running on is possible 1436226 - Persistent volume relationship link broken 1436228 - When the same action is used twice for a policy, action icons are inconsistent 1436232 - WebUI - Web Console button is enabled for archived vm's 1436233 - Container Provider - Capacity & Utilization: The page you were looking for doesn't exist 1436236 - Can't add provider specific catalog items to global region 1436237 - Event filter For Openstack::InfraManager 1436756 - when editing an existing user the field "Full Name" has the value of the field "Username" 1437146 - Policy conditions based on 'VM and Instance.vLANs' field not working 1437148 - [AWS][SDN] - Cannot edit or create Cloud networks/subnets 1437595 - Datepicker freezes after the first run of the "C & U Gap Collection". 1437909 - "Save" and "Reset" buttons are absent when adding log collection configuration 1437912 - Edit log collection menu has no spinner 1437925 - Policy to prevent a host scan request did not work 1438094 - [Regression] Azure provider refresh fails 1438866 - [VMWARE]Auto_placement provision fails due to selecting Host in Maintenance state 1439291 - Azure metrics collection failing with "MonitoringServiceException" 1439314 - service dialog can be submitted before entry point code on dynamic fields has completed execution 1439319 - SUI : Cockpit icon tooltip gets in the way of button click 1439789 - [RFE] Allow for template network interface type to be overwritten during a provision 1439945 - Vmware infra provider refresh fail 1440399 - UI: Hover text is overlapped by navigation menu on Topology 1440400 - UI: Hover text associated for button is not shown properly on Infrastructure Topology page. 1440401 - Unable to save automation task schedule using eastern time zone 1440402 - Policy to prevent a VM retire request did not work 1440701 - [RBAC] - Spinner when creating new role 1441199 - Error '[NoMethodError]: undefined method `base_model' for NilClass:Class' generating chargeback for container images report 1441202 - OpenShift Refresh duration exceeds default two hour timeout and grows > 8GB never fully completing 1441204 - Message timeout of 600 seconds does not allow perf_capture_timer to finish 1441251 - Unexpected error while executing a custom button 1441272 - queue_name_for_metrics_collection raises an exception when ems is nil 1441293 - Tag Visibility | Error: undefined method `base_class' for NilClass:Class on selecting container image on containers page 1441331 - appliance_console doesn't ask for database disk while setting secondy DB appliance 1441401 - Enable Central Admin UI has code artifact 1441648 - methods not sorted in frame on right side in automate 1441727 - Smartstate Analysis Error Unable to mount filesystem Unable to determine port used by VixDiskLib VMware 1441742 - When moving AWS provider from one zone to another Network Manager info no longer updates 1441752 - null result when deleting orchestration templates using REST API 1441754 - Get IP address automation code not working Azure 1441855 - OpenShift provider event storm POD_FAILEDSYNC 1442105 - UI: Topology - unable to confirm search by pressing the Return key, reacts only to a mouse click 1442156 - [SDN] - Disable CRUD actions for Azure/Amazon Network providers 1442164 - OSP refresh fail with Validation failed: Name can't be blank 1442169 - When using dynamic drop downs, sorting of items doesn't work in self service portal. 1442177 - EC2 provision dialogs do not support selecting multiple IPs for multi provision 1442764 - OpenStack refresh fail with nil:NilClass 1442769 - Rhev inventory refresh fails after rhev upgrade from 3.6 to 4.0 1442774 - Update oVirt SDK to version 4.1.z 1442865 - Automate import does not update display_name and description attributes in Namespace objects 1442877 - cloud_init re-runs on appliacne reboot, static networking configuration lost 1443246 - Clicking on Group or Role name link/icon in the user's details page does nothing 1443248 - Using REST API - encountering "NoMethodError: undefined method `key?' for #<Array..." 1443563 - NoMethodError Nil actioncable / pubsub_adapter 1443572 - the amazon best fit method sometimes attempts to select networks that aren't available to the region in use 1443580 - After saving default filter in datastores and clearing it infinispinner 1443697 - Full refresh of second VMware provider isn't automatically started after it is added 1443799 - Containers may get (ems_id and old_ems_id) == nil 1444037 - UI: List views forget checked items when resorted by clicking on a column header. 1444041 - Chargeback for container images report editor filter tab produces an error if there are too many images in the database 1444052 - Chargeback report generation keeps whole openshift env in the memory (even after it finishes) 1444062 - Self Service UI does not properly select defaults for dynamic drop downs 1444178 - [SDN][Azure] - Edit Tags button clickable after Net provider refresh without selected provider 1444182 - Sorting configuration providers by url throws "undefinedColumn: ERROR: column providers.url does not exist" 1444214 - Ensure managers change zone and provider region with cloud manager (OpenStack) 1444220 - Ensure managers change zone and provider region with cloud manager (Google) 1444486 - Policy Simulation results tree nodes are not properly escaped 1444494 - Expose container projects and template parms in service model 1444875 - [SDN][EC2] - singular in downloaded files and subjects 1445318 - [RFE] CFME 4.1 EMS Refresh should be targeted for folder create, as opposed to a full EMS Refresh 1445356 - [RFE] Edit action is not been supported for VMS resources. 1445383 - After reintroducing a failed primary node, there are old replication slots left on the "new" node 1445806 - Getting undefined method `get_folder_paths' after applying RHSA-2017:0898 1445901 - Error in re-configuring service: "Error during 'Provisioning': undefined method `match' for 0:Fixnum Did you mean? catch" 1445902 - [NoMethodError]: undefined method `merge!' for nil:NilClass encountered for OpenShift full refresh 1446305 - Reintroducing a standby node that has already be reintroduced causes failure 1446773 - Change Cluser/Deployment Roles to Resource Pools on cluster summary page 1446787 - Month selection arrows for C&U Gap collection are hidden in the UI 1446791 - incorrect href attribute values for Foreman providers 1447091 - Service Catalogs: Dialogs are hanging and keeps buffering 1448046 - UI lag due to more than 3650 messages in notification 1448073 - [vSphere] UI-RBAC: undefined method `all' for nil:NilClass error appears while setting ownership for template 1448140 - IPv6 addresses not selectable field for reports 1448142 - IPv6 addresses not rendered on details page 1448148 - Containers - old archived container entities are not purged 1448418 - Default dynamic text boxes should be blank 1448421 - Default value of dynamic dropdown list not honored CloudForms 4.2 1448530 - [RFE] ReFS FileSystem Support 1448538 - redhat_CustomizeRequest Provisioning Type: does not match, skipping processing 1448870 - [Regression] storage.perf_capture ERROR 1448872 - vmware_CustomizeRequest Provisioning Type: ManageIQ::Providers::Vmware::InfraManager::Provision does not match, skipping processing 1449389 - It is impossible to identify the source process/appliance for each connection in pg_stat_activity 1449392 - Benchmark timings are incorrect for all workers in evm.log 1449394 - Action button for verifying replication subscriptions on the far right is to small 1449396 - In my settings page at login Configuration management shouldn't be in Infrastructure 1449397 - error when creating a group + setting the tag in create 1449398 - Chargeback Report VM identification (UUID) 1449403 - GCE Boot Disk Size options should be sorted by actual size 1449753 - retirement runs in any zone as of 5.7.1 1450084 - Failed to remove interface from router 1450086 - Network Topology does not show Cloud Routers 1450088 - Cloud Router Summary does not show subnets which connected it 1450150 - CFME: Dialog for creating cloud volumes does not filter cloud tenants CVE-2017-7497 1450217 - The credentials for Automate Git Repository wasn't updating the correct authentications type 1450421 - service dialog dynamic code works in admin portal but not in self-service portal 1450508 - Create the .pgpass and print required conf for standby on primary database servers 1450511 - [RFE] Make the process of reintroducing a failed HA node more user-friendly 1450512 - In new db master node, pg_xlog directory got fulled 1450514 - SSA Fails in Windows workloads but not in Linux ones on OSP9 1450519 - Openstack services missing on node page 1450525 - Cannot select placement for Cloud Volumes (openstack cinder storage provider) and this volumes are created in different tenants during provisioning of the instance. 1450526 - MiqVimBrokerWorker exceeding memory after upgrading from 5.6 -> 5.7 1451396 - CFME 5.7.2.1 does not support group/tag access restrictions for performance reports 1451827 - Existing or Newly created service added to parent service via REST API or from automation is not visible in UI 1452172 - When adding Disk with reconfiguration on vmware, after 16th Disk, a new controller is created hardcoded to Parallel Type 1452227 - [RFE] Azure managed images not discovered 1452350 - customers unable to access CFME thru UI due to chronic unpredictable termination of httpd service 1452363 - Raw methods exposed for Cloud Tenant instead of non-raw 1452383 - Calendar control on Cluster Utilization page gets clipped 1452764 - reports do not distinguish between same name custom attributes with different sections 1452824 - [Microsoft]Auto_placement provision fails due to selecting Host in Maintenance state 1454383 - Unable to collect inventory for 40,000 container images, results in kubeclient timeout 1454442 - Tag Information Not Displayed on Catalog Items 1454443 - Resetting planning results in flash msg twice 1454446 - Containers with empty "imageID" field points to wrong images 1454618 - Forbidden Error when creating a cloud network 1455302 - Can not get kernel version from reports 1455600 - For OSP10 provider, Cinder volume creation is never finishing on the UI 1455670 - Service catalog service dialog refresh function in cf 4.2 behaves differently from cf 4.0 1455686 - Azure provision still needs First/Last name 1455933 - incorrect href keys for service and automation requests accessed through /api/requests 1456021 - Cloudforms causes a Token Storm on OSP10 overcloud 1457911 - Schedule Time value is reset during editing provisioning request 1457924 - Remove policy checking for request_host_vmotion_enabled event 1458810 - Failed while launching imported report based on Chargeback for Projects via REST API. 1458811 - Archived container entities are not destroyed when the provider is deleted 1459180 - Cannot filter report with custom attributes 1459307 - Retirement - log the zone when raising a retirement event. 1459319 - Azure refresh results in timeout errors 1459563 - Incorrect storage used in Chargeback reports 1460979 - Tag Visibility | Access Controll: All users, groups, and tenants are visible for restricted user 1461170 - Valid SCVMM file share not showing up as datastore on host. 1461540 - ManageIQ icon on SUI order page 1461886 - Allow identify replicated interfaces on HA environments 1463669 - Missing Memory graphs on Azure Availability zone Utilization page for daily interval
6. Package List:
CloudForms Management Engine 5.7:
Source: cfme-5.7.3.2-1.el7cf.src.rpm cfme-appliance-5.7.3.2-1.el7cf.src.rpm cfme-gemset-5.7.3.2-1.el7cf.src.rpm rh-ruby23-rubygem-nokogiri-1.7.2-1.el7cf.src.rpm rh-ruby23-rubygem-ovirt-engine-sdk4-4.1.5-1.el7cf.src.rpm
noarch: rh-ruby23-rubygem-ovirt-engine-sdk4-doc-4.1.5-1.el7cf.noarch.rpm
x86_64: cfme-5.7.3.2-1.el7cf.x86_64.rpm cfme-appliance-5.7.3.2-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.7.3.2-1.el7cf.x86_64.rpm cfme-debuginfo-5.7.3.2-1.el7cf.x86_64.rpm cfme-gemset-5.7.3.2-1.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-1.7.2-1.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-debuginfo-1.7.2-1.el7cf.x86_64.rpm rh-ruby23-rubygem-nokogiri-doc-1.7.2-1.el7cf.x86_64.rpm rh-ruby23-rubygem-ovirt-engine-sdk4-4.1.5-1.el7cf.x86_64.rpm rh-ruby23-rubygem-ovirt-engine-sdk4-debuginfo-4.1.5-1.el7cf.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-4457 https://access.redhat.com/security/cve/CVE-2016-7047 https://access.redhat.com/security/cve/CVE-2017-7497 https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFZU826XlSAg2UNWIIRAgXrAJ9HCjbP80gzOppkmtahL7vQekt/MACfSq36 qFYw6SbKJhE/X8Puz55sPCU= =klqZ -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
|