Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in CloudForms
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in CloudForms
ID: RHSA-2018:2745-01
Distribution: Red Hat
Plattformen: Red Hat CloudForms
Datum: Mi, 26. September 2018, 22:55
Referenzen: https://access.redhat.com/security/cve/CVE-2018-10905
https://access.redhat.com/security/cve/CVE-2018-3760
Applikationen: CloudForms

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: CloudForms 4.5.5 security, bug fix and
enhancement update
Advisory ID: RHSA-2018:2745-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2745
Issue date: 2018-09-26
Cross references: RHSA-2018:1972
CVE Names: CVE-2018-3760 CVE-2018-10905
=====================================================================

1. Summary:

An update is now available for CloudForms Management Engine 5.8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.8 - x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.

Security Fix(es):

* rubygem-sprockets: Path traversal in forbidden_request?() can allow
remote attackers to read arbitrary files (CVE-2018-3760)

* cfme: Improper access control in dRuby allows local users to execute
arbitrary commands as root (CVE-2018-10905)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank Stephen Gappinger (American Express) for
reporting CVE-2018-10905.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1586214 - Notification events are out of order
1590761 - active ansible services are not displaying details on selection
1591443 - [Embedded Ansible] Service Details Page has duplicate tabs
1593058 - CVE-2018-3760 rubygem-sprockets: Path traversal in
forbidden_request?() can allow remote attackers to read arbitrary files
1593353 - Can't edit selected router at the Networks -> Network Routers
page
1593678 - Chargeback scheduled report for the current month shows double rates
and values as compared to previous one
1593798 - Lifecycle VM Provision and Publish VM to Template Unusable/Slow
1593914 - Storage profiles causing refresh to exceed 30+ minutes
1594008 - Provisioning to RHV 4.1 Max Memory Size Needs to be Adjusted as
Necesary
1594028 - reports do not generate with timeout errors in logs
1594326 - Must Refresh UI to see Correct Tags of Datastore of vCenter VMware
Provider
1594387 - Unable to download largest chargeback report on production
1595457 - Wrong Platform Attribute for OpenStack Provisioned Instance Showing
Windows instead of Linux
1595462 - During metrics collection for a VMWare provider, SOAP exception
occurs during queryAvailablePerfMetric for non-existent VM
1595771 - OSPD 13 Undercloud - Infrastructure Provider Credential validation
Failed
1596336 - [Regression] GCE provider refresh fails in CFME 5.9
1602190 - CVE-2018-10905 cfme: Improper access control in dRuby allows local
users to execute arbitrary commands as root
1607442 - Internal Server Error during filtering by flavor name in API
1608849 - after removing a zone, messages related to the zone linger in the
database
1613388 - Tenant admins is not able to see newly created users
1613758 - OSP provider refresh fail
1622632 - reports using "group by" on date show a total column per vm
instead of showing a total at the end of the report
1623574 - unable to add disk to vm via rest-api vm reconfiguration on vmware
[request backport from existing commit]
1625250 - Read Action Forbidden When User Tries to Attach Cloud Volume
OpenStack
1626475 - Handle service retirement date in service dialog
1626502 - Database replication stops working

6. Package List:

CloudForms Management Engine 5.8:

Source:
cfme-5.8.5.1-1.el7cf.src.rpm
cfme-appliance-5.8.5.1-1.el7cf.src.rpm
cfme-gemset-5.8.5.1-1.el7cf.src.rpm
rh-postgresql95-postgresql-pglogical-1.2.1-2.el7cf.src.rpm

x86_64:
ansible-tower-server-3.1.8-1.el7at.x86_64.rpm
ansible-tower-setup-3.1.8-1.el7at.x86_64.rpm
cfme-5.8.5.1-1.el7cf.x86_64.rpm
cfme-appliance-5.8.5.1-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.8.5.1-1.el7cf.x86_64.rpm
cfme-debuginfo-5.8.5.1-1.el7cf.x86_64.rpm
cfme-gemset-5.8.5.1-1.el7cf.x86_64.rpm
rh-postgresql95-postgresql-pglogical-1.2.1-2.el7cf.x86_64.rpm
rh-postgresql95-postgresql-pglogical-debuginfo-1.2.1-2.el7cf.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-3760
https://access.redhat.com/security/cve/CVE-2018-10905
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html/release_notes

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW6vR69zjgjWX9erEAQh4uQ/9EBJ46+R4EHl/2/592uYDOJz4SLNMp8Uj
ReDTCdRaaS+PaXnE9OD+5toXCy2xr8CKHiJ5HGRrPDdb2B/wskBz2bGDBcx7t1TA
EYcJS5EClC+xK7RyTpOt6rAgfv3No8I9zql6aPMVQn6e20uRY8KPUEXTbTL7wS3m
x2n3IKurtxwQjFVwy7bGR03w98zPsgN4Hn0REQtSklXsNb+FXD4oohtNciktFuF1
vmwYtHdch7XRmZeNhZ+zJhbrJM8CgcAyo5ZbMQLTFsDXuiqYOpeCR2d1LFoyIuIj
aCDB+yRfFX7DE4/fpK3sHzpVmLfkeUZc4mKKZHp0wjhmnTLPQaX3GXvHvKzaR1wv
5SMfVsSBNva1dcW+s/nX495KwEn/7ex3F713ehcUZZPzBVmjUMN8V8upaeFmWw0+
qyVMbwaUQCOd9zVeib8AG/dzmqOP2kSR24l7L4FPwUqXAStTiIGKaStXfrZJBDO4
+//UrhcUGHULMoCajCy4c8U71epLKP4OtIC0ZJIrexopK8VN0Hhie6xVYX6StUP7
/MXmNuBoBziBi00n+ADFQxODtXdBG/+lNj2CiP4bxikgJlBZllqPUdDUI6Uj+Evz
jxDDHSeqA/uQnB/2KpikHTPxRWzeHJobYVVTaJU9LJb78IU1C1te2ox2CSiutRP7
Ys9PGCpTKdo=
=//5m
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung