—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: CloudForms 4.5.5 security, bug fix and enhancement update
Advisory ID: RHSA-2018:2745-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2745
Issue date: 2018-09-26
Cross references: RHSA-2018:1972
CVE Names: CVE-2018-3760 CVE-2018-10905
=====================================================================
1. Summary:
An update is now available for CloudForms Management Engine 5.8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
CloudForms Management Engine 5.8 – x86_64
3. Description:
Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Security Fix(es):
* rubygem-sprockets: Path traversal in forbidden_request?() can allow
remote attackers to read arbitrary files (CVE-2018-3760)
* cfme: Improper access control in dRuby allows local users to execute
arbitrary commands as root (CVE-2018-10905)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Red Hat would like to thank Stephen Gappinger (American Express) for
reporting CVE-2018-10905.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1586214 – Notification events are out of order
1590761 – active ansible services are not displaying details on selection
1591443 – [Embedded Ansible] Service Details Page has duplicate tabs
1593058 – CVE-2018-3760 rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files
1593353 – Can’t edit selected router at the Networks -> Network Routers page
1593678 – Chargeback scheduled report for the current month shows double rates and values as compared to previous one
1593798 – Lifecycle VM Provision and Publish VM to Template Unusable/Slow
1593914 – Storage profiles causing refresh to exceed 30+ minutes
1594008 – Provisioning to RHV 4.1 Max Memory Size Needs to be Adjusted as Necesary
1594028 – reports do not generate with timeout errors in logs
1594326 – Must Refresh UI to see Correct Tags of Datastore of vCenter VMware Provider
1594387 – Unable to download largest chargeback report on production
1595457 – Wrong Platform Attribute for OpenStack Provisioned Instance Showing Windows instead of Linux
1595462 – During metrics collection for a VMWare provider, SOAP exception occurs during queryAvailablePerfMetric for non-existent VM
1595771 – OSPD 13 Undercloud – Infrastructure Provider Credential validation Failed
1596336 – [Regression] GCE provider refresh fails in CFME 5.9
1602190 – CVE-2018-10905 cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root
1607442 – Internal Server Error during filtering by flavor name in API
1608849 – after removing a zone, messages related to the zone linger in the database
1613388 – Tenant admins is not able to see newly created users
1613758 – OSP provider refresh fail
1622632 – reports using “group by” on date show a total column per vm instead of showing a total at the end of the report
1623574 – unable to add disk to vm via rest-api vm reconfiguration on vmware [request backport from existing commit]
1625250 – Read Action Forbidden When User Tries to Attach Cloud Volume OpenStack
1626475 – Handle service retirement date in service dialog
1626502 – Database replication stops working
6. Package List:
CloudForms Management Engine 5.8:
Source:
cfme-5.8.5.1-1.el7cf.src.rpm
cfme-appliance-5.8.5.1-1.el7cf.src.rpm
cfme-gemset-5.8.5.1-1.el7cf.src.rpm
rh-postgresql95-postgresql-pglogical-1.2.1-2.el7cf.src.rpm
x86_64:
ansible-tower-server-3.1.8-1.el7at.x86_64.rpm
ansible-tower-setup-3.1.8-1.el7at.x86_64.rpm
cfme-5.8.5.1-1.el7cf.x86_64.rpm
cfme-appliance-5.8.5.1-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.8.5.1-1.el7cf.x86_64.rpm
cfme-debuginfo-5.8.5.1-1.el7cf.x86_64.rpm
cfme-gemset-5.8.5.1-1.el7cf.x86_64.rpm
rh-postgresql95-postgresql-pglogical-1.2.1-2.el7cf.x86_64.rpm
rh-postgresql95-postgresql-pglogical-debuginfo-1.2.1-2.el7cf.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2018-3760
https://access.redhat.com/security/cve/CVE-2018-10905
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html/release_notes
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIVAwUBW6vR69zjgjWX9erEAQh4uQ/9EBJ46+R4EHl/2/592uYDOJz4SLNMp8Uj
ReDTCdRaaS+PaXnE9OD+5toXCy2xr8CKHiJ5HGRrPDdb2B/wskBz2bGDBcx7t1TA
EYcJS5EClC+xK7RyTpOt6rAgfv3No8I9zql6aPMVQn6e20uRY8KPUEXTbTL7wS3m
x2n3IKurtxwQjFVwy7bGR03w98zPsgN4Hn0REQtSklXsNb+FXD4oohtNciktFuF1
vmwYtHdch7XRmZeNhZ+zJhbrJM8CgcAyo5ZbMQLTFsDXuiqYOpeCR2d1LFoyIuIj
aCDB+yRfFX7DE4/fpK3sHzpVmLfkeUZc4mKKZHp0wjhmnTLPQaX3GXvHvKzaR1wv
5SMfVsSBNva1dcW+s/nX495KwEn/7ex3F713ehcUZZPzBVmjUMN8V8upaeFmWw0+
qyVMbwaUQCOd9zVeib8AG/dzmqOP2kSR24l7L4FPwUqXAStTiIGKaStXfrZJBDO4
+//UrhcUGHULMoCajCy4c8U71epLKP4OtIC0ZJIrexopK8VN0Hhie6xVYX6StUP7
/MXmNuBoBziBi00n+ADFQxODtXdBG/+lNj2CiP4bxikgJlBZllqPUdDUI6Uj+Evz
jxDDHSeqA/uQnB/2KpikHTPxRWzeHJobYVVTaJU9LJb78IU1C1te2ox2CSiutRP7
Ys9PGCpTKdo=
=//5m
—–END PGP SIGNATURE—–
—
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce