-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: cfme, cfme-appliance, and cfme-gemset security, bug fix, and enhancement update Advisory ID: RHSA-2017:0898-01 Product: Red Hat CloudForms Advisory URL: https://access.redhat.com/errata/RHSA-2017:0898 Issue date: 2017-04-12 Cross references: RHSA-2017:0320 CVE Names: CVE-2017-2653 ===================================================================== 1. Summary: An update for cfme, cfme-appliance, and cfme-gemset is now available for CloudForms Management Engine 5.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.7 - x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Security Fix(es): * A number of unused delete routes are present in CloudForms which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute. (CVE-2017-2653) Additional Changes: This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Technical Notes document linked to in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1386342 - [RFE] it's impossible to Provision VMs if VMs view is opened through Providers or Clusters,etc. views 1393438 - Advanced search not displayed in Config mgmt 1395722 - [Config management] - Advanced search not functional 1395866 - New provider input field lengths are inconsistent 1396237 - Middleware - Datasource deletion - More informative message. 1396579 - UI: Task status icons are not aligned properly 1402995 - do not render service start/stop buttons (and status field?) if start and stop actions are missing 1411477 - Heat Template provisioning does not honor Tagging filtering 1414003 - RFE - Azure Orchestration Service Retirement does not delete VMs 1416819 - AWS Region ca-central-1 missing from Cloud Provider configuration 1416827 - In datastore clusters selecting storage cluster does nothing 1416836 - Unexpected error encountered while Viewing Full screen report 1416894 - Duplicate folder names between host & vm/templates causes placement issues 1417757 - CF fails to provider discover RHV4.0 1417762 - Impossible to open a condition from a condition list 1417763 - Snapshot link in vm summary page becomes inactive on deleting a snapshot and viewing its history 1417779 - Clicking on the Policy Event link doesn't take you to the event page 1418066 - ActionController::RoutingError (No route matches [GET] "/client/assets/images/cockpit.png") 1418221 - "ExtManagementSystem" string in Provider policies 1418815 - Wrong provider condition title in the tree 1419603 - Getting undefined method with_interval_and_time_range errors in evm.log 1419694 - Catalog Item Long Descriptions allow the user to override UI styling 1420284 - [CFME] db:migrate warning 'supports_feature_mixin.rb:103: warning: key :terminate is duplicated and overwritten on line 111' 1420442 - Unable to provision VMs to a VLAN with a '/' in the name 1420467 - Containers Topology - second search not working 1421154 - check_provisioned Check orchestration deployed doesn't properly handle rollback_complete 1421158 - control policy events aren't generated for azure instances 1421161 - network manager timelines 404 found 1422647 - Customer concered about memory and elapsed time to generate custom report in global reporting region 1422648 - Impossible to access Cockpit administration tool from Self-Service UI 1422649 - Appliance fails to terminate (ie, kill) worker processes that fail to respond to requested termination. 1422650 - Services with nil service_template will fail while looking up atomic? or composite? 1422651 - UI: Service catalog ordering - spinner disappearing too soon, not in sync with page load 1422652 - Inconsistent alt-text for advanced search buttons 1422653 - Update set_security_group method to accept an array of MIQ objects 1422654 - Node lifecycle: ability to set node manageable from provisioning state enroll 1422975 - Missing links to nested Resource Pools in Resource Pool summary screen 1423032 - Stack template page needs to change the font color 1423470 - Running any rake task gives a warning message before runnning 1424255 - SPICE connections to RHV fill up log with error message 1425492 - Chargeback for Container Images - Default Container Image Rate is editable 1425494 - cannot remove user belonging to group EvmGroup-super_administrator via tree 1425873 - MiqUiWorker fails to start 1426433 - Cannot generate VM base report 1426628 - [Regression]C&U graphs don't get grouped by tags 1426638 - Security groups reflected twice on Cloud tenant page 1426683 - Unable to compute performance rollups for OpenShift 1427168 - unable to bring VM out of retirement from details page 1427169 - Provide CFME/RHV build in qcow format, further to image uploader tool drop for RHV-4.1 1427172 - trying to log in with user admin after timeout on different user will get the UI stuck on login + error on wrong credentials will show in log 1427298 - vCenter DVS network selection after upgrade to CloudForms 4.2 fails 1427299 - Missing form buttons on Catalog Items - Add new Button Group and Buttons 1427321 - "My Company Tags" not loading after login for creating new group 1427520 - User access filtering using tags for clouds networks and floating ip| isnt' working as expected. 1427522 - Cancel edit cloud subnet throw undefined method `empty?' for nil:NilClass 1428079 - Can not display instances on one tenant within OSP in CloudForms 1428122 - Creating or copying a report drops browser session and returns to sign in screen 1428124 - RuntimeError Multiple parents found / in generate_one_content_for_group 1428130 - [RFE] OpenShift Projects report Pods: Deleted On attribute empty 1428131 - limit list of user's roles to for creating a group 1428508 - When invoking a start or stop action on a instance via API, it does not reflected in CloudForms 4 UI however it performed desired action on cloud side. 1428509 - Missing "Reset" option for SCVMM VM from Details 1428512 - all volumes in systems are shown under a pod summary 1428579 - Cannot approve an automation request in a 'Pending Approval' state 1428895 - When filtering datastores the title is "the datastore datastores" which makes no sense 1428897 - Custom Attributes in WebUI Change Order as Created / Updated - Not sorted 1428899 - Copy Chargeback report will not add unless a parameter is changed first 1428900 - [RFE] Container Chargeback - get rate assignment from enterprise 1428903 - disable local login does not work when cfme external auth is configured for IPA 1428904 - Middleware Topology - broken icon for Servers 1429648 - An exception in a worker's sync_workers can cause the server process to exit with fatal error 1429650 - External authentication works when logging into the Admin UI but doesn't work for the same user to get into the Service UI 1429652 - The email validation is no longer accepting upper case characters in the users email address. 1429999 - CHRONYD getting stopped/failed in CFME-4.2 Appliances after 5-10 minutes 1430088 - Network I/O Metrics empty in RHEV 1430089 - Service view VM buttons all click through to first VM 1430439 - Ordering of Saved Chargeback reports needs to be reversed 1430542 - [RFE] Service Dialog drop-down field should support multi-select option 1430835 - CSRF tokens are erroneously being checked for external authentication 1430838 - Services > Catalog Items - services in the tree don't match right side 1430937 - Service Dialog does not save default value for drop down or radio button 1431154 - No flash message after addition of a new policy is cancelled 1431162 - Service Dialog - Element visibility on condition is not working in Self-Service portal 1431163 - [SDN] - Security groups/Floating IPs not displayed in Network Topology View 1431164 - The cleanup process is never started because of bugs in the code 1431165 - "FATAL -- : ActionController::RoutingError (No route matches [POST] "/vm_infra/console/198")" found in production.log file while accessing vm console with MKS plugin 1431166 - Wrong selection of parent for VM in a tree 1431168 - Dashbord and Report information not filtered by Tenancy 1431620 - [Scale][RHV] Inventory refresh fail on timeout, after ~2 minutes. 1431641 - Issue when Azure VM doesn't include offer in. 1431727 - UI: Add new Subnet must be disabled when there is no cloud provider present. 1431808 - RHEV VM Reconfigure: Hot unplug CPU and Hot add memory request succeed, though it should fail on not-supported 1431842 - Service requests show none with "refresh" buttons instead of selected values 1432093 - Removing all folders from an accordion in Report Menu makes the Reports page display error 1432098 - Chargeback by Image cannot assign Rate for Label with special characters 1432174 - CVE-2017-2653 CloudForms: UI security issue on Openstack actions 1432463 - Web UI inaccessible after changing number of UI Workers 1432467 - [Azure] ManageIQ string in downloaded PDF 1432639 - RBAC Search Errors out on Strings 1432957 - AWS flavor list is out of date. 1432960 - Missing AWS Regions 1432961 - Unable to hot add new thin provisioned disk to VM 1432962 - Host Storage Device retrieves more information than necessary 1433069 - [Multi-tenancy, LDAP] - Images not visible to tenant / Instances not visible to tenant after provisioning 1433089 - Error after expanding Button Group in Catalog Items 1433093 - Mixed up values in Low and High operating ranges for C&U graphs 1433094 - Refresh of OSP10 OpenStack/Director undercloud failing 1433366 - Editing an already created schedule for "Container Image compliance" doesn't populate all the existing schedule settings 1433435 - Policy to exclude a VM from analysis shows as false but scanning is still happening 1433486 - Corrected loading record id by selected node 1433500 - Duplicate ContainerImage records with same digest 1433962 - Control Explorer is displayed despite role has restricted access to it 1433974 - Persistent Volumes list grow exponentially upon refresh. 1433976 - List items on Policy profiles page are not clickable 1433979 - Reports fail when selecting a Custom Attribute containing one or more dots 1433980 - VM extend retirement fails 1433981 - Charge back reports are not showing the data 1434012 - Clipped Chart Controls on Dashboard 1434096 - All Endpoints' [Validate] buttons disabled/enabled according to main endpoint fields 1434150 - [Scale] MiqWidget.generate_content at large scale consumes tremendous amount of memory and times - out 1434151 - Services: My Services tree does not show services that are marked as display false. 1434157 - Automate Simulation: The simulation form behaves weird after certain steps 1434158 - Stack trace when running fix_auth 1434160 - Impossible to distinguish Labels and entity attributes in OpenShift Chargeback Reports 1434172 - Azure Cloud provider fail to refresh 1434411 - Undefined Method Error virtual_custom_attribute_name for Chargeback Report OpenShift 1434428 - No payload sent to rhevm4.0 from cfme-5.7.0 1434549 - [RFE] Routers do not allow you to set/clear external network gateway 1435278 - Metrics collections consistently fail when where last collection date/time is weeks to months prior 1436223 - Unable to order service 1436340 - [RFE] Replace Ceilometer event with Panko 1436854 - miq worker in aborted status 1437560 - [RHOS] - changing ownership of image returns error 1438450 - Unable to open Details(Summary) of archived Instance 1438888 - [RFE]: Containers should be added to Service Model 1439308 - Excessive log lines for "Initializing DRb Connection to MiqServer with ID" 1440405 - subselection in access control role, not bubble up in tree display 1440408 - excon gem defaults generate error connecting to OSP 6. Package List: CloudForms Management Engine 5.7: Source: cfme-5.7.2.1-1.el7cf.src.rpm cfme-appliance-5.7.2.1-1.el7cf.src.rpm cfme-gemset-5.7.2.1-1.el7cf.src.rpm x86_64: cfme-5.7.2.1-1.el7cf.x86_64.rpm cfme-appliance-5.7.2.1-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.7.2.1-1.el7cf.x86_64.rpm cfme-debuginfo-5.7.2.1-1.el7cf.x86_64.rpm cfme-gemset-5.7.2.1-1.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-2653 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFY7k8mXlSAg2UNWIIRAhrtAKCLCyWmhin6azU7KxUiNu3tS98tuQCdGv+Y zqroKok8+NibjKMFSYBFNIo= =Clsk -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce