Red Hat Security Advisory 2016-2839-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Security Fix: A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as.
d9718f61734342769a0127149f824e770233555d6fa898c9d7302f5fe72a836d
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: CFME 5.6.3 security, bug fix, and enhancement update
Advisory ID: RHSA-2016:2839-01
Product: Red Hat CloudForms
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2839.html
Issue date: 2016-11-30
Cross references: RHSA-2016:25227
CVE Names: CVE-2016-5402
=====================================================================
1. Summary:
An update is now available for Red Hat CloudForms 4.1.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
CloudForms Management Engine 5.6 - x86_64
3. Description:
Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.
Security Fix(es):
* A code injection flaw was found in the way capacity and utilization
imported control files are processed. A remote, authenticated attacker with
access to the capacity and utilization feature could use this flaw to
execute arbitrary code as the user CFME runs as. (CVE-2016-5402)
This issue was discovered by Simon Lukasik (Red Hat).
Additional Changes:
This update also fixes various bugs and adds several enhancements. Notable
changes include:
Changes to the Automate component:
* This release of CloudForms allows provisioning of a virtual machine
without specifying a host but validating a cluster. CloudForms now
validates if either a host or cluster is selected when provisioning on
VMware. (BZ#1378116)
Changes to the Providers component:
* In the previous version of CloudForms, when attempting to open a VNC
console to an instance, CloudForms failed to connect because the instance
did not exist for that tenant - it attempted to use the wrong tenant. This
update specifies the tenant when opening a VNC console which has resolved
the issue. CloudForms is now able to connect successfully without an error.
(BZ#1370207)
Changes to the Provisioning component:
* In the previous version of CloudForms, cloning a VMware template failed
when the target datacenter was nested below multiple folders. This was
because if the datacenter was nested logically under various folders, users
were unable to find the placement ID during an autoplacement VMware
provision request. This fix always does a lookup of the folder path from
the host datacenter instead of statically setting a possible wrong default
value which has resolved the issue. (BZ#1361174)
Changes to the Replication component:
* In the previous version of CloudForms, subscription validation failed for
replication subscriptions which were successfully saved. This was because
the validation was done directly by the UI which did not have access to
passwords of currently saved subscriptions. The validation would pass when
the user enters the password when initially saving the subscription, but
failed once the subscription needed to be retrieved from the database. This
update has fixed the failing validation on saved replication subscriptions.
(BZ#1378554)
Changes to the vulnerability component:
* A code injection flaw was found in the way capacity and utilization
imported control files are processed. A remote, authenticated attacker with
access to the capacity and utilization feature could use this flaw to
execute arbitrary code as the user CFME runs as. (BZ#1357559)
* In the previous version of CloudForms, when trying to save filters in
Subnets/Routers/Security groups/Floating IPs/Network ports exception
appeared. This was caused due to missing routes for network resources. This
update adds missing routes for network resources and the issue has now been
resolved. (BZ#1370573)
* In the previous version of CloudForms, My Filters in datastore was
unclickable and no filters were shown under it. This update enabled My
Filters in datastore and the issue is now resolved. (BZ#1379727)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1346967 - unable to bring VM out of retirement from details page
1346969 - when a user in a child tenant executes create_provision_request the miq_request has the wrong tenant id
1347002 - No flash message displayed for terminate stack instance when navigated through stack summary page
1349413 - The chargeback report gives wrong information
1357559 - CVE-2016-5402 cfme: RCE via Capacity & Utilization feature
1358324 - Error while configure CFME to use IPA
1361174 - VMware-Cloning a template fails when the target datacenter is nested below multiple folders
1362632 - After changing the locale to Japanese or Chinese, title is diplayed as "ManageIQ" instead of CFME
1368162 - [Ansible Tower] No flash message when provided bad credentials
1368172 - [Ansible Tower] Sorting in Configured systems table breaks "All Ansible Tower Providers"
1370207 - Cloudforms attempts to connect to he wrong tenant to reach an instance
1370570 - C&U - WEB UI crashes when moving from calendar to daily/hourly selection
1370573 - When trying to save filters in Subnets/Routers/Security groups/Floating IPs/Network ports exception appears
1370576 - Provider summary page has an additional authentication when editing Provider details.
1372768 - UX: Error message too vague when creating new automate domain / namespace / object
1375206 - VirtualDelegate: Fix foreign key for belongs_to
1376145 - default placement folder name in vmware varries depending on localization
1376514 - Advanced search tag type expression missing main object tags in drop down for newer objects
1376516 - EC2 instances IP Addresses are not shown in summary when instance is not in VPC
1376519 - Tag Control fields not working in Self-Service UI
1376521 - Configuration Management icons are barely visible
1376525 - Requested value is always shown as zero in quota exceed messages.
1376526 - EC2 provisioning instance in VPC with EIP error
1377417 - [RFE] OpenSCAP results --> Severity should be differentiated with adequate colors
1377418 - db:migrate failure during upgrade from 3.2 to 4.1
1378116 - [RFE] Cluster selection when deploying a vm on VMWare
1378173 - Copied user doesn't inherit password, but in UI it looks like it did
1378554 - Validation fails for previously saved replication subscriptions
1379692 - Multi-tenancy - not user friendly name of tenant in
1379693 - Nilclass for servicetemplateprovisionrequest_pending method
1379694 - C&U memory graphs are missing for Azure instances
1379697 - Can't retire amazon instance
1379727 - My Filters in datastores are not shown
1379728 - Upgrade to 4.1 fails to start due to widget errors
1380107 - provider fails to validate with IPv6 interface
1380170 - self-service UI allows duplicate items in cart
1381624 - Instance provisioning failure ''The requested availability zone is not available''
1382072 - .missing is missing for Azure events, causing ERROR in the logs
1382074 - Useless scrollbar under left submenu panel after selecting submenu
1382164 - Incorrect hover text for Edit tags button
1382406 - Cannot cancel clone via policy with cancel vcenter task
1382408 - Receiving Azure::Armrest::ApiException during a provider refresh after successfully adding the provider
1382753 - No longer select 'Discovered virtual machine' as a default folder
1382819 - Error When Trying to Create Service Dialog from Heat Orchestration Template
1382826 - Downloaded text report does not contain Instance details
1382834 - Global filters are sometimes saved as regular filters
1382835 - Azure Orchestration template no longer defaults to Default.
1382836 - Cloud Providers authentication not re-validated after save
1382837 - Reordering tenant Automate domains breaks root domain ordering
1382846 - Filters in My Filters set as default filter are missing label (Default)
1382847 - Compliance history is broken for a VM
1383368 - Error IPMI is not available on this Host
1383466 - Update download_template to use RestClient instead of open-uri for Azure
1383469 - Improve performance by skipping asset pipeline resolution for Service nodes
1383470 - Allow the root folder to be the default location for auto placement VMWare provisioning
1383497 - Optimize memory usage by making object in hash reference small
1385156 - Need to translate Compute -> Infra -> Datastores -> [A Datastore] -> Files -> [A file]
1385173 - Key Pairs: wrong quadicon displayed
1386792 - Alerts don't send SNMP traps
1386793 - Button edit dialog title is incorrect
1386794 - There is no "Trap Number" string in the alert details screen
1386797 - Can not generate txt/pdf drift report of SSA
1388984 - Inventory Refresh failing for Container Provider.
1389025 - Traceback during evaluation of alert when duration is not set
1389760 - [RFE] events are not available through the vm object
1389790 - Cannot add or copy alerts
1390697 - Auto-tagging from same label in 2 providers breaks refresh
1390698 - Auto-tagging from name=value and name=VALUE labels breaks refresh
1390724 - External Authentication configuration fails after setting hostname in appliance console
1391710 - Cloud instance does not have relation to service
1391721 - OpenStack identity.authenticate should be filtered by CloudForms
1391764 - ServiceTemplateProvisionTask not honoring provider zone
1391980 - Auto-tagging tag categories can't be used in reports
1392561 - 'Update External Authentication Options' option not available in cfme
1392964 - Some predefined alerts send emails to incorrect recipient
1393061 - Background & custom logo image not showing in http service after upgrading to cfme-5.6.2.1
1395305 - [RFE] Containers should have "My filters" and advanced search same way as other providers
1396665 - VM chargeback cost computed as if VM were used for 24 hours, even though it was used for < 24 hours
1397093 - Cannot Log in with username and "password+OTP TOKEN"
1397095 - ext_auth ipa user group retrieval failed with no error message, even after UI spinner takes long time.
1397516 - when ext_auth configured with ldaps through sssd, groups retrieved as "groupname@domain.com"
1399285 - Changes to class attribute default value are discarded
6. Package List:
CloudForms Management Engine 5.6:
Source:
cfme-5.6.3.3-1.el7cf.src.rpm
cfme-appliance-5.6.3.3-1.el7cf.src.rpm
cfme-gemset-5.6.3.3-1.el7cf.src.rpm
freeipmi-1.5.1-2.el7cf.src.rpm
x86_64:
cfme-5.6.3.3-1.el7cf.x86_64.rpm
cfme-appliance-5.6.3.3-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.6.3.3-1.el7cf.x86_64.rpm
cfme-debuginfo-5.6.3.3-1.el7cf.x86_64.rpm
cfme-gemset-5.6.3.3-1.el7cf.x86_64.rpm
freeipmi-1.5.1-2.el7cf.x86_64.rpm
freeipmi-bmc-watchdog-1.5.1-2.el7cf.x86_64.rpm
freeipmi-debuginfo-1.5.1-2.el7cf.x86_64.rpm
freeipmi-devel-1.5.1-2.el7cf.x86_64.rpm
freeipmi-ipmidetectd-1.5.1-2.el7cf.x86_64.rpm
freeipmi-ipmiseld-1.5.1-2.el7cf.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-5402
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFYPzc+XlSAg2UNWIIRAvc7AKCbRWk1IhMospc1buXufp+g4wyRpQCgskW5
sLfh0QMng2HE4SKb9buRE2k=
=2idz
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce