Sicherheit: Mehrere Probleme in Red Hat Cloud Forms
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Red Hat Cloud Forms
ID: RHSA-2017:1758-01
Distribution: Red Hat
Plattformen: Red Hat CloudForms
Datum: Mi, 2. August 2017, 22:39
Referenzen: https://access.redhat.com/security/cve/CVE-2016-7047
Applikationen: Red Hat Cloud Forms


Hash: SHA1

Red Hat Security Advisory

Synopsis: Important: Red Hat CloudForms security, bug fix, and
enhancement update
Advisory ID: RHSA-2017:1758-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2017:1758
Issue date: 2017-08-02
Cross references: RHSA-2017:1367
CVE Names: CVE-2016-7047 CVE-2017-2664 CVE-2017-7497

1. Summary:

An update is now available for CloudForms Management Engine 5.8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.8 - noarch, x86_64

3. Description:

Ansible is a simple model-driven configuration management, multi-node
deployment, and remote-task execution system. Ansible works over SSH and
does not require any software or daemons to be installed on remote nodes.
Extension modules can be written in any language and are transferred to
managed machines automatically.

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

The following packages have been upgraded to a later upstream version:
ansible (, ansible-tower (3.1.3), cfme (, cfme-appliance
(, cfme-gemset (, rh-ruby23-rubygem-nokogiri (1.7.2).
(BZ#1456017, BZ#1459318)

Security Fix(es):

* CloudForms lacks RBAC controls on certain methods in the rails
application portion of CloudForms. An attacker with access could use a
variety of methods within the rails applications portion of CloudForms to
escalate privileges. (CVE-2017-2664)

* It was found that privilege check is missing when invoking arbitrary
methods via filtering on VMs that MiqExpression will execute that is
triggerable by API users. An attacker could use this to execute actions
they should not be allowed to (e.g. destroying VMs). (CVE-2017-7530)

* The dialog for creating cloud volumes (cinder provider) in CloudForms
does not filter cloud tenants by user. An attacker with the ability to
create storage volumes could use this to create storage volumes for any
other tenant. (CVE-2017-7497)

* A flaw was found in the CloudForms API. A user with permissions to use
the MiqReportResults capability within the API could potentially view data
from other tenants or groups to which they should not have access.

The CVE-2017-2664 issue was discovered by Libor Pichler (Red Hat) and
Martin Povolny (Red Hat); the CVE-2017-7530 issue was discovered by Tim
Wade (Red Hat); the CVE-2017-7497 issue was discovered by Gellert Kis (Red
Hat); and the CVE-2016-7047 issue was discovered by Simon Lukasik (Red

Additional Changes:

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes
document linked to in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:


5. Bugs fixed (https://bugzilla.redhat.com/):

1374215 - CVE-2016-7047 cfme: API leaks any MiqReportResult
1435393 - CVE-2017-2664 CloudForms: lack of RBAC on various methods in web UI
1438562 - [RFE] External Auth - AD - samba-common-tools and deps missing from
1439309 - Not able to see orders when not enough permission to see catalogs
1441321 - Access (Cockpit and HTML5) are inconsistent between Service and OPS
1444505 - "Collect" button is absent on slave server log collection
1449273 - VM Hostname not displaying when RHV has FQDN
1450082 - Failed to remove interface from router - HA env.
1450087 - Cloud Router Summary does not show subnets which connected it - HA
1450150 - CFME: Dialog for creating cloud volumes does not filter cloud tenants
1450502 - [RFE] Custom Button must be supported at VM level in Service UI
1450518 - Openstack services missing on node page
1454445 - Containers with empty "imageID" field points to wrong images
1455685 - Azure provision still needs First/Last name
1456017 - [RFE] Install latest stable version of Ansible Core on the appliance.
1458333 - Containers - old archived container entities are not purged
1458337 - In my settings page at login Configuration management shouldn't
be in Infrastructure
1458339 - It is impossible to identify the source process/appliance for each
connection in pg_stat_activity
1458341 - reports do not distinguish between same name custom attributes with
different sections
1458356 - [Ansible Embedded] - User not informed about Embedded Ansible role
1458360 - Entering Ansible Repository Incorrectly does not provide feedback
that creation fails
1458363 - [VMWARE]Auto_placement provision fails if best_fit host doesn't
have selected VM Network
1458365 - Can not get kernel version from reports
1458374 - [Azure] - No floating IPs displayed for LBs in Network topology
1458377 - Various network object CRUD forms require better filtering
1458434 - Use $log.log_hashes to filter out sensitive data in Ansible Playbook
1458445 - Extra parameter in call to Job#set_status from
1458447 - GCE Boot Disk Size options should be sorted by actual size
1458448 - Remove specific EVM server from zone
1458454 - [RFE] Add legend to Graph in OpenShift Ad Hoc Metrics
1458892 - The credentials for Automate Git Repository wasn't updating the
correct authentications type
1458896 - infinispinner on attempt to open Alarm/Status Change management
events on Timelines page
1458899 - Deleting object store object redirects me to object store containers
1458900 - Export button is enabled on Custom Reports page
1458919 - Action button for verifying replication subscriptions on the far
right is to small
1458921 - Chargeback Report VM identification (UUID)
1458924 - Web console for AWS is trying to connect on private ip instead public
1458925 - WEB Console defaults to the first IP Address when connecting to
Cockpit with RHV VMs
1458926 - UI blows up while downloading Switch Summary as PDF
1458927 - Tag Group UI | "Save" button gets inactive after switching
between tabs(Host&Cluster, My Company Tag)
1458930 - Topology View for HyperV is missing all relationships
1458934 - Container Explorer Page is not scalable
1458935 - Smart Management | Tag info is not appear on container detail page
after edit
1458943 - [SDN] - no Instance details in Floating IPs table for LB IPs
1458945 - Middleware Manager Deployments Download .pdf contains duplicate .war
1458946 - customers unable to access CFME thru UI due to chronic unpredictable
termination of httpd service
1458947 - get-inventory.ps is returning SCVMM internal temporary templates in
addition to actual templates
1458951 - Host targeted refresh fails when using sdk (v4)
1459217 - [RFE] Azure managed images not discovered
1459225 - Check for blank password in database configuration to avoid postgres
1459227 - Benchmark timings are incorrect for all workers in evm.log
1459235 - SSA Fails in Windows workloads but not in Linux ones on OSP9
1459243 - Message 'Cannot edit VM. Physical Memory Guaranteed cannot exceed
Memory Size' is logged as INFO in automation.log
1459247 - MIQ LDAP - Certain users with special attributes can't log in to
services UI.
1459257 - Auth - MIQLDAP - FreeIPA - Can't switch groups in SSUI
1459258 - AWS S3 deleting object store object(folder) that has another objects
in it does nothing
1459261 - vmreconfigure allows circumvention of quota and approval mechanisms
1459262 - When adding Disk with reconfiguration on vmware, after 16th Disk, a
new controller is created hardcoded to Parallel Type
1459264 - [UI][RHV][VM Reconfigure] Disks section - "Delete Backing"
Yes|No button stuck in the middle.
1459297 - Display notification message when search on Provider Topology page
returns no records
1459306 - Retirement - log the zone when raising a retirement event.
1459318 - Azure refresh results in timeout errors
1459562 - Incorrect storage used in Chargeback reports
1459902 - Show tag info for playbook services
1459903 - No flash message after editing provider settings
1459923 - Error indicator does not display on the OpenStack New Infrastructure
Provider form for the Default tab
1459928 - Raw methods exposed for Cloud Tenant instead of non-raw
1459929 - Unable to collect inventory for 40,000 container images, results in
kubeclient timeout
1459940 - I can't change only volume name when editing gp2 type block
storage volume(EBS)
1459944 - Tag Information Not Displayed on Catalog Items
1459959 - Calendar control on Cluster Utilization page gets clipped
1459962 - Ansible Playbook Service: Cannot update new dialog name and other UI
1459977 - Existing or Newly created service added to parent service via REST
API or from automation is not visible in UI
1459986 - Error message displayed when adding playbook service catalog item to
global region
1459989 - Service dialog is created without extra_vars
1459990 - Ansible playbook : Error when creating new dialog with existing
dialog's name
1459992 - Resetting planning results in flash msg twice
1460000 - backup service fails due to: incremental=>true
1460002 - Unable to change rhevm credentials after upgrade from 5.6 to 5.8
1460004 - Parent tenant displayed in list view when allowed by RBAC
1460023 - containers: information under "Labels" is shown in reverse
alphabetical order (z-a)
1460024 - Create a snapshot of this volume action is missing in Block storage
volume list configuration menu
1460027 - Expose container projects and template parms in service model
1460031 - When provisioning VM, multiple emails with same content are sent
1460032 - Forbidden Error when creating a cloud network
1460033 - Pop-up with usercase occur if press "Edit" button after log
collection via dropbox
1460034 - Failed to create subnet
1460036 - [VMWare][Topology] - wrong title of Clusters and Tags not displayed
1460265 - Tag Group UI | Cannot select single host, checkboxes are missing
1460293 - Custom Button: None credential is always used during Ansible Playbook
Service provisioning
1460294 - Bulk assign_tags does not populate href properly
1460304 - Ansible Repository SCM Credential cannot be cleared after being set
1460307 - [RFE] Allow for deletion of group when users belong to another group
1460308 - Allow identify replicated interfaces on HA environments
1460309 - undefined method `status_ok?' for
#<MiqTask:0x0000001a97daf0> causing post_scaledown_task to fail
1460310 - ContainerImage :registered_on field is wrong
1460316 - Custom button failing to execute
1460318 - Cloudforms causes a Token Storm on OSP10 overcloud
1460334 - RHV Host refresh fail on undefined method `detect' for
1460339 - SmartState required automate server roles enabled on the worker has
SmartProxy role enabled
1460348 - manageiq.api_token failing in playbook when using a multi-appliance
1460349 - After killing reporting worker, report status still says Running
1460356 - Ansible Service Catalog Template Job not honoring provider zone
1460357 - Node Utilisation in Dashboard show more Nodes than avaible
1460359 - Remove policy checking for request_host_vmotion_enabled event
1460366 - Cannot suspend server role in CFME Region menu
1460372 - webadmin: template info is not shown correctly in several fields of
Objects table
1460375 - Refreshing the ansible tower provider page does not load the View
1460380 - Schedule Time value is reset during editing provisioning request
1460382 - Default number of topology items shouldn't be Unlimited
1460383 - HTML5 Console Title Reads as "ManageIQ HTML5 Remote Console"
1460384 - Search and advanced search is missing in Object Store Objects
1460385 - Unable to download aws volumes snapshot summary in PDF format
1460386 - When importing custom variables always "Choose the type of custom
variables to be imported" appears
1460387 - Incorrect padding in Actions and Conditions selection screens
1460394 - Saved Reports getting deleted when deletes all finished reporting
task from All Other Tasks page
1460396 - Failed while launching imported report based on Chargeback for
Projects via REST API.
1460397 - Archived container entities are not destroyed when the provider is
1460736 - ISO domain images are not displayed
1460755 - SSUI shows Manage IQ productization
1460761 - report vm and instances field 'Provision.Request : Approved
By' does not apply any styling
1460776 - [RHOS] Cancelling 'Provision instance' action throws
1460777 - Some inconsistencies in Hosts listnav and Hosts Summary screen
1460781 - Tenants : Reset button not working in Tag Assignment page
1460791 - Unable to edit ansible repository by "Enter" pressing
1460792 - Filters not working properly in config mgmt configured systems
1460802 - Missing "data-id" attribute in Bootstrap select elements
1460803 - Embedded Ansible role does not migrate cleanly to another appliance
1460805 - failure of "Embedded Ansible " fails to install prevents that
from ever installing
1460807 - Access Web Console Cockpit not compatible with Windows VMs
1460808 - service dialog saving elements when switching elements - cancel only
reverts current element
1460809 - [RFE] - Add 'Verbosity' drop down on both Provisioning &
Retirement tabs for Playbook Catalog Items
1461070 - The IP version (network protocol) is not displayed when editing cloud
1461103 - Missing unit on VMDB Utilization page
1461142 - Impossible to graph multiple data-series in Ad-hoc Metrics if they
are on different pages
1461143 - Service Retirement not working properly for Orchestration Stacks due
to missing zone.
1461144 - Use of the new create_service_provision_request method is
inconsistent with other create_*_request methods
1461161 - Log Collection fails via IPv6
1461165 - Cancel button remains disabled in Add interface to router page
1461169 - Valid SCVMM file share not showing up as datastore on host.
1461183 - Service catalog service dialog refresh function in cf 4.2 behaves
differently from cf 4.0
1461456 - Export button for Custom Reports doesn't work
1461460 - [ALL LANG] Compute-Clouds-Tenants has missing translations for menu
and table entries
1461467 - default report with timelines "Operations VMs Powered On/Off for
Last Week" doesn't include instance events
1461475 - 'Restart Guest' is available on Vm without VMTools from
'On' state
1461485 - Editing Infrastructure Providers and Hosts from a list returns to
details screen instead of back to list
1461513 - CloudForms 4.1 Child tenants are allowed to view other child tenants
Service Requests
1461522 - Validation error: ems/core not defined while ContainerGroups in the
"Pending" state
1461535 - Maintenance mode flag not being set on SCVMM hosts.
1461541 - Reports - Number of Nodes per CPU cores - Wrong Name of report
1461558 - OpenShift smartstate errors -unknown access error to pod
management-infra/manageiq-img-scan-7f243: #<Net::HTTPBadRequest:0x00000010422df8>
1461559 - Wrong RHV provider refresh error, when provider is down.
1461593 - subselection in access control role, not bubble up in tree display
1461596 - CloudForms Topology View shows Archived VMs
1461857 - provisioning from pxe fails when using ovirt sdk v4
1461860 - Add RHV provider using a bad hostname do not fail the validation in
1461868 - [SDN][Tags] - Redirection to Network provider summary page page after
tag is saved
1461869 - Tag Visibility | Cloud Stack: Tag is not added if stack list opened
from provider detail page
1461956 - Reports - Number of Nodes per CPU cores - "Name" header
1461958 - it takes 10-20 sec to add column to new report when report is based
on big fields set like Virtual Machines
1461988 - checkboxes on Control Policies->Event Assignments page aren't
1462287 - No spinner when waiting for Cloud Key Pair to save
1462309 - service now integrations for determining host_name return empty array
1462358 - Hourly metrics_## tables grow filling up the VMDB filesystem when
real-time purges fail
1462361 - Openstack infra provider dashboard should not appear for an openstack
infra provider
1462774 - VM provision via restapi fail, if the chosen data store name exist
more than once in CFME.
1462779 - [Ansible Embedded] - Remove ssh keys fields from SCM credentials form
1462801 - Openshift refresh crashes due to template.objects being nil
1462844 - "" As a hawkular endpoint port passes validation, but
prevents provider edit.
1462957 - [Microsoft]Reset option available from Details
1463275 - Add support for v4 of the RHV api in event monitoring
1463321 - Inconsistencies in Access Control for Automation - Ansible feature
1463381 - Replace nodejs010 with node from SCL in appliances
1463668 - Missing Memory graphs on Azure Availability zone Utilization page for
daily interval
1463848 - static ipv6 primary DNS default fails
1464118 - VMRC does NOT work if CFME is accessed with IPv6 Address
1464151 - UI: Showing wrong flash message when "Check Compliance of Last
Known Configuration"
1464153 - Floating IP: Cannot associate or disassociate a port
1464203 - Disk space issues when running upgrade from 5.7 to 5.8
1465448 - CVE-2017-7530 cfme: Execution of arbitrary methods through filter
1466049 - SSUI : No Scroll bar to scroll to the bottom in service catalog page
, Unable to provision service catalogs at the bottom
1466855 - Embedded ansible role fails to re-initialize after webui update
1468272 - Edit tag page doesn't work for filtered items
1468275 - [RFE] Trigger a refresh when adding/editing/deleting anything in CFME
Block Storage(EBS)
1468281 - websocket connection leaks causing failed connections
1468285 - [CFME4.5]Configuring Multi-Region, Single LDAP Authentication,
Synchronized RBAC/Resource.
1468292 - Navigation accordion on Cloud->Instances page fails
1468294 - SSUI : "Error loading Services" when clicked on "My
1468295 - Non-admin users unable to see Catalog Items in SUI
1468296 - Display a warning for large number of objects in the Topology pages
1468336 - Unable to view Reports if a member has a custom Role - indefinite
spinning wheel
1468337 - UI: infinispinner appears In the Report accordion
1468370 - Drop Down List Dialog does not keep default value for Integer type
1468376 - upgrade to CF 4.5 complains about "could not find
nokogiri-1.6.8" during "rake db:migrate"
1468380 - Setting Start Page to Container/Explorer sets to URL to an invalid
1468700 - Azure refresh fails with private_ip_address property not found
1468703 - Azure refresh fails if provider has no orchestration stacks
1468729 - [Regression] Saved reports unavailable under Reports accordion
1469308 - Unable to select the Azure region UK South
1469560 - Collect container metrics is done until time.now instead of until
1469653 - Some container resources not cleaned up after removal from Openshift
- research
1469702 - performance issue in openstack collection
1470179 - the buttons of the html5 console do not work with windows vms
1470773 - [RFE] Buttons assigned to VMs should be available in Self Service UI
1470774 - in the self service portal after a little time displaying a vm, data
changes to garbage data
1470800 - OSP: when validating an account with access to many projects, it
checks each, and times out
1470812 - Validation Credentials fails for OSP 10 Provider with AD
"domain" user
1470847 - Unexpected error encountered while switching maintabs to
configuration manager provider
1471821 - Ansible tower job templates filters are not displayed
1472837 - [Regression] Error while generating Chargeback reports
1472841 - Setting static ipv6 address clears ipv4 address in appliance console.
1472842 - After setting ipv6 to dhcp its not possible to set it back to static
1473336 - Service Requests are not seen by user in Global Region
1473424 - Firewall rules prevent appliance from getting a dynamic IPv6 address
1473787 - Ansible workers not starting
1474504 - Unable to navigate through the service requests due to a template
error on "split"

6. Package List:

CloudForms Management Engine 5.8:




These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list
Neue Nachrichten