Sicherheit: Mangelnde Rechteprüfung in Red Hat Cloud Forms
Aktuelle Meldungen Distributionen
Name: Mangelnde Rechteprüfung in Red Hat Cloud Forms
ID: RHSA-2017:3484-01
Distribution: Red Hat
Plattformen: Red Hat CloudForms
Datum: Mo, 18. Dezember 2017, 23:04
Referenzen: https://access.redhat.com/security/cve/CVE-2017-2664


Hash: SHA1

Red Hat Security Advisory

Synopsis: Important: Red Hat CloudForms security, bug fix, and
enhancement update
Advisory ID: RHSA-2017:3484-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2017:3484
Issue date: 2017-12-18
Cross references: RHSA-2017:1601
CVE Names: CVE-2017-2664

1. Summary:

An update for cfme, cfme-appliance, and cfme-gemset is now available for
CloudForms Management Engine 5.7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.7 - x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

CloudForms Management Engine Appliance.

CloudForms Management Engine Gemset.

Security Fix(es):

* CloudForms lacks RBAC controls on certain methods in the rails
application portion of CloudForms. An attacker with access could use a
variety of methods within the rails applications portion of CloudForms to
escalate privileges. (CVE-2017-2664)

This issue was discovered by Libor Pichler (Red Hat) and Martin Povolny
(Red Hat).

Additional Changes:

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes
document linked to in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:


5. Bugs fixed (https://bugzilla.redhat.com/):

1344690 - ActionController::RoutingError in automation simulation tree
1401560 - Missing buttons Graph view, Hybrid view, Table view and missing
option Show full screen report
1424267 - selection doesn't move along with added/copied Condition in
Control->Explorer->Policies treeview
1429962 - UI: VM "Edit Management Engine Relationship", 'Save'
problem mal functionning
1435393 - CVE-2017-2664 CloudForms: lack of RBAC on various methods in web UI
1440105 - UI: Tasks are using an old icons for Task State.
1449404 - IE 11 on windows 7: On topology page entity icons are not displaying
1451831 - [Ansible Tower] - Ansible Tower Jobs - relationships table -
undefined method when clicking on Service
1457979 - After killing reporting worker, report status still says Running
1458287 - Incorrect padding in Actions and Conditions selection screens
1460149 - [Ansible Tower] - Unexpected error when clicking on successful job
1460656 - WebUI:Tag Visibility - Ansible Tower Job Templates should honor tag
1460696 - HTML in node names of Control/Simulation tree
1460938 - Unexpected error encountered while clicking on "Download PDF"
button on Switch page
1462104 - [Amazon EC2] - ManageIQ string in PDF filename of Network provider
and in PDF title
1462146 - Access Web Console Cockpit not compatible with Windows VMs
1463265 - Missing id attribute on Cloud->Instance Edit form, Child VM
1465077 - CFME collects C&U metrics even before resource creation
1465079 - report vm and instances field 'Provision.Request : Approved
By' does not apply any styling
1465080 - The IP version (network protocol) is not displayed when editing cloud
1465081 - Formatting of Provider summary PDF file generated from provider
summary page is very broken
1465082 - [SDN][Tags] - Redirection to Network provider summary page page after
tag is saved
1465083 - Tag Visibility | Cloud Stack: Tag is not added if stack list opened
from provider detail page
1465084 - service now integrations for determining host_name return empty array
1465086 - Hourly metrics_## tables grow filling up the VMDB filesystem when
real-time purges fail
1465088 - Service template provisioning request do not honour quotas
1465090 - "Items" keyword in the dropdown list values of Default Items
Per Page in my settings
1465091 - [RFE] External Auth - AD - samba-common-tools and deps missing from
1465093 - The 'Assigned Filters' setting in the Settings->Access
Control->Groups->[group name] only applies to 'Hosts & Clusters', and not the Network providers.
1465415 - Service Retirement not working properly for Orchestration Stacks due
to missing zone.
1468593 - Check for blank password in database configuration to avoid postgres
1468606 - Azure refresh fails if provider has no orchestration stacks
1468612 - prevent two miq servers from starting
1468613 - Remote VNC/SPICE consoles lack logging when the remote endpoint is
1468614 - Not able to retire VM/instance via API unless "Set Retirement
Date" feature is checked for role
1468633 - websocket connection leaks causing failed connections
1469297 - Unable to select the Azure region UK South
1469703 - performance issue in openstack collection
1471201 - Replace nodejs010 with node from SCL in appliances
1471202 - Unable to save trusted forest Settings
1471204 - Not possible to refresh automate from GIT using API call
1471315 - Tag with Key 'Name' and a nil Value Breaks Refresh for AWS
1472364 - Productized border at top of page should be red not blue
1472381 - Ansible tower job templates filters are not displayed
1472383 - Deleted labels still show up in CFME after provider refresh
1472384 - Some container resources not cleaned up after removal from Openshift
- research
1472806 - <Choose> found as option in drop down service dialogs
1473271 - Raise MiqProvisionError if instance is in error state
1475020 - Drop Down List Dialog does not keep default value for Integer type
1475031 - After applying errata some dialog field default values are
missing in the self-service portal
1476270 - Validation Credentials fails for OSP 10 Provider with AD
"domain" user
1476279 - OpenStack cloud provider refresh error: Flavor <flavor id>
could not be found
1476284 - After Applying ERRATA-RHSA-2017:1601 full refreshes are being trigged
1476296 - Unable to perform power control operations on stack instance when
navigated through stack summary page
1476395 - OSP: when validating an account with access to many projects, it
checks each, and times out
1477195 - AD with external auth, When doing group lookup for user group SID
number is displayed instead of Group name
1477617 - Validation failed: Status is not included in the list
1477722 - Unable to provision against vmware with "multiple parents
found" error
1477723 - zones of sub region show up as zones appliances of a central region
can move to
1477725 - Search field disappears when user clicks view selector after user
input dialog on Compute->Infrastructure->All VMs page
1477727 - Refresh failed for VMware Provider in Cloudforms 4.5
1478368 - User unable to tick the check boxes of the folder while assigning the
Alert profile
1479377 - Provisioning to MS SCVMM Uses host.name instead of host.hostname
1479410 - incorrect value used in stock automation wait_for_completion
1480630 - prefetch_below_threshold? failure after AWS upgrade
1481743 - UI: "Unexpected error encountered" when Downloading report in
text,csv and pdf format
1481859 - Provisions via Users in multiple groups in tenants in SSUI result in
VMs being provisioned to wrong group/tenant
1481862 - Azure inventory collection fails with missing instances for
west-india region
1481864 - Datasources Download .txt truncates host-name
1481865 - Unable to provision HyperV networking properly
1481867 - Unable to provision against vmware due to "unknown method
1481870 - Quota not using cloud volumes in requested resource calculation.
1482151 - Missing Icon of power state - migrating
1482672 - Workers processing a miq_queue message that exceed the memory
threshold aren't given enough time to exit gracefully
1484387 - Setting VM ownership on more than 100 VMs at a time causing server
error status 400 bad request
1484541 - Custom button not passing target object to dynamic dialog fields
1484549 - [RFE] Add config option to skip container_images
1487280 - Refresh fails: undefined method `[]' for nil:NilClass in
1487289 - [RFE] Include EvmRole-reader as read-only role in the fixtures
1487297 - [RFE] The azure image as built cannot be used in azure.
1487307 - Unable to perform any actions on cloud objects from list view when
navigated to cloud tenants
1487321 - Unable to access filter tab while Editing chargeback for projects
1487323 - Save only used OpenShift images with labels/tags
1487686 - Drop down history toolbar button on Import/Export report page is not
needed, should be removed.
1487694 - UI elements not loading and reporting widgets not showing data points
1490434 - Clicking x button in search box doesn't remove the search
1491576 - [Regression] Unable to assign actions to a policy
1492158 - Quota management doesn't work according the expected
1492867 - Dashboard shows 2 for "retiring soon" services but clicking
on that link shows None
1493700 - HTML5 VNC Remote Console: Remove VNC proxy from the UI
1494189 - vc refreshes are preventing full refreshes
1495971 - setting a dynamic dialog to "required = True" is not saved
1496597 - Setting memory_reserve lower than vm_memory failed
1497522 - Deleted VM is moved to status Orphan, though it should move to
1497748 - Editing Name of a Category via API breaks Chargeback Assignments
1498095 - Tag/Networks: Cloud Network list is available for restricted user, if
Network manager was tagged
1498131 - It allows me to have filter with same name twice when loading global
1498232 - [Regression] appliance_console not enabling all required SCAP rules.
1500050 - Cannot add Azure provider to CloudForms 4.2
1500052 - Azure refreshes fail with [NameError]: wrong constant name $default
1500067 - Cloudforms AWS image with Azure provider fails to discover entire
1500995 - Unable to initiate VM console in VMware environment with 6.5 VC and
ESXi 6.5
1501478 - overwriting reports causes new runs of the report to not show data
for some columns
1502739 - Dynamic refresh ignored on Service Dialog elements if clicking submit
without clicking out of refresh trigger element first
1505417 - Records with duplicate timestamp in metrics rollup table
1505458 - UI: PDF Download button is missing from the infra provider summary
page (it is displayed for cloud providers)
1505468 - Edit tags not working while navigating to instance through provider
1505546 - [EUWE] HTML5 Console Does Not Display From SSUI/OPS UI VMWare
1506626 - compute.instance.exists events
1509420 - Queue workers are frequently querying pg_backend_pid
1517712 - Storage Volume Attach give Unexpected Error
1521043 - Azure NetworkManager refresh failure with "undefined method
`source_address_prefix'" error

6. Package List:

CloudForms Management Engine 5.7:



These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list
Traut euch!
Neue Nachrichten