-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: CloudForms 4.6.4 security, bug fix, and enhancement update Advisory ID: RHSA-2018:2561-01 Product: Red Hat CloudForms Advisory URL: https://access.redhat.com/errata/RHSA-2018:2561 Issue date: 2018-09-04 Cross references: RHSA-2018:34177 CVE Names: CVE-2018-3760 CVE-2018-10905 ==================================================================== 1. Summary: An update is now available for CloudForms Management Engine 5.9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.9 - noarch, x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Security Fix(es): * cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root (CVE-2018-10905) * rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Stephen Gappinger (American Express) for reporting CVE-2018-10905. Additional Changes: This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1565259 - Requests originating from the API contain no 'userid' attribute in $evm.root 1588527 - Service dialog text, dialog element and button layout/spacing is incorrect in CloudForms 4.6 1591494 - [RFE] Add configuratble vhost to AMQP monitor 1591495 - Tag Expression form:The newly added category does't appear in expression form 1591496 - Expression methods can not access Flavor tags 1591497 - VMware Add Provider can validate VMRC Console credentials successfully for non-existing User 1593058 - CVE-2018-3760 rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files 1595416 - User that calls refresh automation domain from git branch is not correct user in UI 1595445 - Copying a method does not copy embedded methods that have been added 1595447 - Satellite credential validation times out with no error message 1595448 - Can't access new flavor page when accessed from cloud provider 1595450 - Quadicons in tagging screens should not be clickable 1595451 - task id not included on automation.log when logging from methods 1595454 - Disabling "Dashboard" under service UI for a role does not actually disable the dashboard 1595456 - Wrong Platform Attribute for OpenStack Provisioned Instance Showing Windows instead of Linux 1595461 - During metrics collection for a VMWare provider, SOAP exception occurs during queryAvailablePerfMetric for non-existent VM 1595776 - Dialogs should only run once 1598528 - [RFE] Automate - Expose max_retries override at instance level 1598532 - Generic objects class accordion is not display when locale is french 1598873 - Adding an Ansible Playbook button does not work correctly with Firefox (for Mac) 1599350 - Unable to access tower job .normalized_live_status because "wrong constant name ::Dev::Xvda" 1599353 - CloudForms : Wrong heading message while accessing Cloud Networks 1600191 - 502 Proxy Error 1600670 - Service Bundle retirement: retire_ now not implemented in subclass 1600738 - refresh methods stop being called after working for several days in the self service version of dialogs 1601587 - self service dynamic dialog droplist glitch 1601589 - Service Provision is Failing Because Last Auth Check Failed for Azure Provider 1602190 - CVE-2018-10905 cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root 1603022 - 404 error accessing OpenStack console 1603029 - required field blocks validation of a dialog after automation method called 1603031 - A custom button doesn't work on a service which has no parent catalog item associated with it. 1603058 - AD authentication failing cross region. 1603210 - Timepicker doesn't pass correct timing on service order 1607441 - Internal Server Error during filtering by flavor name in API 1608844 - after removing a zone, messages related to the zone linger in the database 1610055 - [RFE] CFME 5.9.4 - support ssh transport method 1610425 - Source and target network become zero after moving host to maintenance and activating it 1610685 - Service Dialog CheckBox has null value when not ticked by default 1611002 - SCVMM smartstate fails with undefined method `close' for nil:NilClass 1611660 - 'Refresh' button moves over the line when window is resized 1612062 - unable to view validation or cancelation buttons in dynamic dialogs tied to a Service button 1612856 - Browser title in reads "translation missing ..." in Portuguese 1612889 - [RFE] chargeback rates assigned to tags via multiple tag category assignations do not seem to get saved 1613295 - Report based on Chargeback for project fails with ERROR -- : [TypeError]: no implicit conversion from nil to integer Method:[block in method_missing] 1613387 - Tenant admins is not able to see newly created users 1613757 - OSP provider refresh fail 1615633 - Edit tag: Cannot select second tag to items 1618219 - Remove resources field behaves erratic 6. Package List: CloudForms Management Engine 5.9: Source: cfme-5.9.4.7-1.el7cf.src.rpm cfme-amazon-smartstate-5.9.4.7-1.el7cf.src.rpm cfme-appliance-5.9.4.7-1.el7cf.src.rpm cfme-gemset-5.9.4.7-1.el7cf.src.rpm rh-postgresql95-postgresql-pglogical-2.1.0-4.el7cf.src.rpm rh-ruby23-rubygem-redhat_access_cfme-2.0.3-1.el7cf.src.rpm noarch: rh-ruby23-rubygem-redhat_access_cfme-2.0.3-1.el7cf.noarch.rpm rh-ruby23-rubygem-redhat_access_cfme-doc-2.0.3-1.el7cf.noarch.rpm x86_64: cfme-5.9.4.7-1.el7cf.x86_64.rpm cfme-amazon-smartstate-5.9.4.7-1.el7cf.x86_64.rpm cfme-appliance-5.9.4.7-1.el7cf.x86_64.rpm cfme-appliance-common-5.9.4.7-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm cfme-appliance-tools-5.9.4.7-1.el7cf.x86_64.rpm cfme-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm cfme-gemset-5.9.4.7-1.el7cf.x86_64.rpm cfme-gemset-debuginfo-5.9.4.7-1.el7cf.x86_64.rpm rh-postgresql95-postgresql-pglogical-2.1.0-4.el7cf.x86_64.rpm rh-postgresql95-postgresql-pglogical-debuginfo-2.1.0-4.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-3760 https://access.redhat.com/security/cve/CVE-2018-10905 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW47IZtzjgjWX9erEAQhuaBAAjcYrhESmgh3/OFH4t1rAQ/sYcuRYhopZ 0hmLtNhpyHlTx/VAqpkIS1a69uRlyeOc8/PfUh9zA7LZYRePRGA5/rMmsvyhoqV0 MDRsNMPU+sbSs8vLrvul+mAsTGkdHFAMXDB7Hay3gOntiCGU6vBX/AxfKRYkJjjU RJvPIoos2auq+k2PXSOiKoQMzKWqgqQcvBdfZHhjqBxDD8xN+zKElUFbztHSUPS3 3CGw7jRrJAqjO4FmN62SNPWRxBGnw8Lzzj2N3gDd4IyxEd0EWjenaGfE4ZHY/yfF TnQ5N3jhsw5Z5q3RuvXKfNl6Ke7bChWUQNZjoA+v4vKDUxL2y8EEQ2ZkLS8icUgR ZzpCLeB8bPoNcWFv1BjEllfIA9bUZ7e7x7/ur5aykOOicsPJnGGFEZhCIYUzbe9b 7kdXKQIsfu+ru01GoIKY9dXLhWg/h1Q/lBRwh05qDHD0a6iyGV2RpQMvSbsTrJSq Yjr7il+HBfgW2lFDzJFtO9kSWiRrsrgwY3C6rzLG6oJcu2hzV9APu5y21GxF8Qq0 7q20a9bUMxptcmRFqhqVj1K8rE+NKom0dKFhsihc97l/iKP9wo1fYFNDHfk8rVjL MhH++1KHoLGIDxsU4ZF0fhSs82XG1TtXIbUYPe5dcjtnNoZBy9xwCdyttopOn2TY D3HNNisehaA=0QPa -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce