ESB-2017.1622 - [RedHat] CloudForms Management Engine: Multiple vulnerabilities 2017-06-29

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1622
      Important: CFME 5.7.3 security, bug fix and enhancement update
                               29 June 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           CloudForms Management Engine
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Access Privileged Data         -- Remote with User Interaction
                   Create Arbitrary Files         -- Existing Account            
                   Provide Misleading Information -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-7497 CVE-2016-7047 CVE-2016-4457

Reference:         ESB-2017.1391

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2017:1601

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: CFME 5.7.3 security, bug fix and enhancement update
Advisory ID:       RHSA-2017:1601-01
Product:           Red Hat CloudForms
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:1601
Issue date:        2017-06-28
Cross references:  RHSA-2017:0898
CVE Names:         CVE-2016-4457 CVE-2016-7047 CVE-2017-7497 
=====================================================================

1. Summary:

Updates for cfme, cfme-appliance, cfme-gemset,                             
rh-ruby23-rubygem-nokogiri, and rh-ruby23-rubygem-ovirt-engine-sdk4 are now
available for CloudForms Management Engine 5.7.                            
                                                                           
Red Hat Product Security has rated this update as having a security impact 
of Important. A Common Vulnerability Scoring System (CVSS) base score,     
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.7 - noarch, x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

rh-ruby23-rubygem-nokogiri provides Nokogiri, which is an HTML, XML, SAX,  
and Reader parser.  Among Nokogiri's many features is the ability to search
documents using XPath or CSS3 selectors.                                   
                                                                           
rh-ruby23-rubygem-ovirt-engine-sdk4 provides the ruby SDK for the oVirt    
Engine API. 

The following packages have been upgraded to a later upstream version: cfme
(5.7.3.2), cfme-gemset (5.7.3.2), rh-ruby23-rubygem-nokogiri (1.7.2),
cfme-appliance (5.7.3.2), rh-ruby23-rubygem-ovirt-engine-sdk4 (4.1.5).
(BZ#1442774, BZ#1459319)

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Technical Notes
document linked to in the References section.

Security Fix(es):

* CloudForms includes a default SSL/TLS certificate for the web server.
This certificate is replaced at install time. However if an attacker were
able to man-in-the-middle an administrator while installing the new
certificate, the attacker could get a copy of the uploaded private key
allowing for future attacks. (CVE-2016-4457)

* The dialog for creating cloud volumes (cinder provider) in CloudForms
does not filter cloud tenants by user. An attacker with the ability to
create storage volumes could use this to create storage volumes for any
other tenant. (CVE-2017-7497)

* A flaw was found in the CloudForms API. A user with permissions to use
the MiqReportResults capability within the API could potentially view data
from other tenants or groups to which they should not have access.
(CVE-2016-7047)

The CVE-2016-4457 and CVE-2016-7047 issues were discovered by Simon Lukasik
(Red Hat) and the CVE-2017-7497 issue was discovered by Gellert Kis (Red
Hat).

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1322396 - [RFE] Allow for deletion of group when users belong to another group
1341308 - CVE-2016-4457 CFME: default certificate used across all installs
1350340 - Downloading the job templates of Anisble tower displays wrong data
1402992 - VM snapshot: revert option is enabled, for Active VM
1403358 - Add Provider->Type "RHEVM" should change to "RHV"
1414869 - VMRC is not working if IE compatibility mode is disabled
1419604 - [AnsibleTowerClient::ConnectionError]: Your license does not allow adding surveys
1428944 - Vulnerable JQuery Version
1430468 - Parent tenant displayed in list view when allowed by RBAC
1434152 - [RFE] Support for custom Amazon Regions in Provider
1434952 - delete action in /api/orchestration_templates results in error
1436074 - Back/Cancel buttton is missing on host drift comparison page
1436222 - The option of VM migration to the same host it is already running on is possible
1436226 - Persistent volume relationship link broken
1436228 - When the same action is used twice for a policy, action icons are inconsistent
1436232 - WebUI - Web Console button is enabled for archived vm's
1436233 - Container Provider - Capacity & Utilization: The page you were looking for doesn't exist
1436236 - Can't add provider specific catalog items to global region
1436237 - Event filter For Openstack::InfraManager
1436756 - when editing an existing user the field "Full Name" has the value of the field "Username"
1437146 - Policy conditions based on 'VM and Instance.vLANs' field not working
1437148 - [AWS][SDN] - Cannot edit or create Cloud networks/subnets
1437595 - Datepicker freezes after the first run of the "C & U Gap Collection".
1437909 - "Save" and "Reset" buttons are absent when adding log collection configuration
1437912 - Edit log collection menu has no spinner
1437925 - Policy to prevent a host scan request did not work
1438094 - [Regression] Azure provider refresh fails
1438866 - [VMWARE]Auto_placement provision fails due to selecting Host in Maintenance state
1439291 - Azure metrics collection failing  with "MonitoringServiceException"
1439314 - service dialog can be submitted before entry point code on dynamic fields has completed execution
1439319 - SUI : Cockpit icon tooltip gets in the way of button click
1439789 - [RFE] Allow for template network interface type to be overwritten during a provision
1439945 - Vmware infra provider refresh fail
1440399 - UI: Hover text is overlapped by navigation menu on Topology
1440400 - UI: Hover text associated for button is not shown properly on Infrastructure Topology page.
1440401 - Unable to save automation task schedule using eastern time zone
1440402 - Policy to prevent a VM retire request did not work
1440701 - [RBAC] - Spinner when creating new role
1441199 - Error '[NoMethodError]: undefined method `base_model' for NilClass:Class' generating chargeback for container images report
1441202 - OpenShift Refresh duration exceeds default two hour timeout and grows > 8GB never fully completing
1441204 - Message timeout of 600 seconds does not allow perf_capture_timer to finish
1441251 - Unexpected error while executing a custom button
1441272 - queue_name_for_metrics_collection raises an exception when ems is nil
1441293 - Tag Visibility | Error: undefined method `base_class' for NilClass:Class on selecting container image on containers page
1441331 - appliance_console doesn't ask for database disk while setting secondy DB appliance
1441401 - Enable Central Admin UI has code artifact
1441648 - methods not sorted in frame on right side in automate
1441727 - Smartstate Analysis Error Unable to mount filesystem Unable to determine port used by VixDiskLib VMware
1441742 - When moving AWS provider from one zone to another Network Manager info no longer updates
1441752 - null result when deleting orchestration templates using REST API
1441754 - Get IP address automation code not working Azure
1441855 - OpenShift provider event storm POD_FAILEDSYNC
1442105 - UI: Topology - unable to confirm search by pressing the Return key, reacts only to a mouse click
1442156 - [SDN] - Disable CRUD actions for Azure/Amazon Network providers
1442164 - OSP refresh fail with Validation failed: Name can't be blank
1442169 - When using dynamic drop downs, sorting of items doesn't work in self service portal.
1442177 - EC2 provision dialogs do not support selecting multiple IPs for multi provision
1442764 - OpenStack refresh fail with nil:NilClass
1442769 - Rhev inventory refresh fails after rhev upgrade from 3.6 to 4.0
1442774 - Update oVirt SDK to version 4.1.z
1442865 - Automate import does not update display_name and description attributes in Namespace objects
1442877 - cloud_init re-runs on appliacne reboot, static networking configuration lost
1443246 - Clicking on Group or Role name link/icon in the user's details page does nothing
1443248 - Using REST API - encountering "NoMethodError: undefined method `key?' for #<Array..."
1443563 - NoMethodError Nil actioncable / pubsub_adapter
1443572 - the amazon  best fit method sometimes attempts to select networks that aren't available to the region in use
1443580 - After saving default filter in datastores and clearing it infinispinner
1443697 - Full refresh of second VMware provider isn't automatically started after it is added
1443799 - Containers may get (ems_id and old_ems_id) == nil
1444037 - UI: List views forget checked items when resorted by clicking on a column header.
1444041 - Chargeback for container images report editor filter tab produces an error if there are too many images in the database
1444052 - Chargeback report generation keeps whole openshift env in the memory (even after it finishes)
1444062 - Self Service UI does not properly select defaults for dynamic drop downs
1444178 - [SDN][Azure] - Edit Tags button clickable after Net provider refresh without selected provider
1444182 - Sorting configuration providers by url throws "undefinedColumn: ERROR: column providers.url does not exist"
1444214 - Ensure managers change zone and provider region with cloud manager (OpenStack)
1444220 - Ensure managers change zone and provider region with cloud manager (Google)
1444486 - Policy Simulation results tree nodes are not properly escaped
1444494 - Expose container projects and template parms in service model
1444875 - [SDN][EC2] - singular in downloaded files and subjects
1445318 - [RFE] CFME 4.1 EMS Refresh should be targeted for folder create, as opposed to a full EMS Refresh
1445356 - [RFE] Edit action is not been supported for VMS resources.
1445383 - After reintroducing a failed primary node, there are old replication slots left on the "new" node
1445806 - Getting undefined method `get_folder_paths' after applying RHSA-2017:0898
1445901 - Error in re-configuring service: "Error during 'Provisioning': undefined method `match' for 0:Fixnum Did you mean? catch"
1445902 - [NoMethodError]: undefined method `merge!' for nil:NilClass encountered for OpenShift full refresh
1446305 - Reintroducing a standby node that has already be reintroduced causes failure
1446773 - Change Cluser/Deployment Roles to Resource Pools on cluster summary page
1446787 - Month selection arrows for C&U Gap collection are hidden in the UI
1446791 - incorrect href attribute values for Foreman providers
1447091 - Service Catalogs: Dialogs are hanging and keeps buffering
1448046 - UI lag due to more than 3650 messages in notification
1448073 - [vSphere] UI-RBAC: undefined method `all' for nil:NilClass error appears while setting ownership for template
1448140 - IPv6 addresses not selectable field for reports
1448142 - IPv6 addresses not rendered on details page
1448148 - Containers - old archived container entities are not purged
1448418 - Default dynamic text boxes should be blank
1448421 - Default value of dynamic dropdown list not honored CloudForms 4.2
1448530 - [RFE] ReFS FileSystem Support
1448538 - redhat_CustomizeRequest Provisioning Type: does not match, skipping processing
1448870 - [Regression] storage.perf_capture ERROR
1448872 - vmware_CustomizeRequest Provisioning Type: ManageIQ::Providers::Vmware::InfraManager::Provision does not match, skipping processing
1449389 - It is impossible to identify the source process/appliance for each connection in pg_stat_activity
1449392 - Benchmark timings are incorrect for all workers in evm.log
1449394 - Action button for verifying replication subscriptions on the far right is to small
1449396 - In my settings page at login Configuration management shouldn't be in Infrastructure
1449397 - error when creating a group + setting the tag in create
1449398 - Chargeback Report VM identification (UUID)
1449403 - GCE  Boot Disk Size options should be sorted by actual size
1449753 - retirement runs in any zone as of 5.7.1
1450084 - Failed to remove interface from router
1450086 - Network Topology does not show Cloud Routers
1450088 - Cloud Router Summary does not show subnets which connected it
1450150 - CFME: Dialog for creating cloud volumes does not filter cloud tenants CVE-2017-7497
1450217 - The credentials for Automate Git Repository wasn't updating the correct authentications type
1450421 - service dialog dynamic code works in admin portal but not in self-service portal
1450508 - Create the .pgpass and print required conf for standby on primary database servers
1450511 - [RFE] Make the process of reintroducing a failed HA node more user-friendly
1450512 - In new db master node, pg_xlog directory got fulled
1450514 - SSA Fails in Windows workloads but not in Linux ones on OSP9
1450519 - Openstack services missing on node page
1450525 - Cannot select placement for Cloud Volumes (openstack cinder storage provider) and this volumes are created in different tenants during provisioning of the instance.
1450526 - MiqVimBrokerWorker exceeding memory after upgrading from 5.6 -> 5.7
1451396 - CFME 5.7.2.1 does not support group/tag access restrictions for performance reports
1451827 - Existing or Newly created service added to parent service via REST API or from automation is not visible in UI
1452172 - When adding Disk with reconfiguration on vmware, after 16th Disk, a new controller is created hardcoded to Parallel Type
1452227 - [RFE] Azure managed images not discovered
1452350 - customers unable to access CFME thru UI due to chronic unpredictable termination of httpd service
1452363 - Raw methods exposed for Cloud Tenant instead of non-raw
1452383 - Calendar control on Cluster Utilization page gets clipped
1452764 - reports do not distinguish between same name custom attributes with different sections
1452824 - [Microsoft]Auto_placement provision fails due to selecting Host in Maintenance state
1454383 - Unable to collect inventory for 40,000 container images, results in kubeclient timeout
1454442 - Tag Information Not Displayed on Catalog Items
1454443 - Resetting planning results in flash msg twice
1454446 - Containers with empty "imageID" field points to wrong images
1454618 - Forbidden Error when creating a cloud network
1455302 - Can not get kernel version from reports
1455600 - For OSP10 provider, Cinder volume creation is never finishing on the UI
1455670 - Service catalog service dialog refresh function in cf 4.2 behaves differently from cf 4.0
1455686 - Azure provision still  needs First/Last name
1455933 - incorrect href keys for service and automation requests accessed through /api/requests
1456021 - Cloudforms causes a Token Storm on OSP10 overcloud
1457911 - Schedule Time value is reset during editing provisioning request
1457924 - Remove policy checking for request_host_vmotion_enabled event
1458810 - Failed while launching imported report based on Chargeback for Projects via REST API.
1458811 - Archived container entities are not destroyed when the provider is deleted
1459180 - Cannot filter report with custom attributes
1459307 - Retirement - log the zone when raising a retirement event.
1459319 - Azure refresh results in timeout errors
1459563 - Incorrect storage used in Chargeback reports
1460979 - Tag Visibility | Access Controll: All users, groups, and tenants are visible for restricted user
1461170 - Valid SCVMM file share not showing up as datastore on host.
1461540 - ManageIQ icon on SUI order page
1461886 - Allow identify replicated interfaces on HA environments
1463669 - Missing Memory graphs on Azure Availability zone Utilization page for daily interval

6. Package List:

CloudForms Management Engine 5.7:

Source:
cfme-5.7.3.2-1.el7cf.src.rpm
cfme-appliance-5.7.3.2-1.el7cf.src.rpm
cfme-gemset-5.7.3.2-1.el7cf.src.rpm
rh-ruby23-rubygem-nokogiri-1.7.2-1.el7cf.src.rpm
rh-ruby23-rubygem-ovirt-engine-sdk4-4.1.5-1.el7cf.src.rpm

noarch:
rh-ruby23-rubygem-ovirt-engine-sdk4-doc-4.1.5-1.el7cf.noarch.rpm

x86_64:
cfme-5.7.3.2-1.el7cf.x86_64.rpm
cfme-appliance-5.7.3.2-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.7.3.2-1.el7cf.x86_64.rpm
cfme-debuginfo-5.7.3.2-1.el7cf.x86_64.rpm
cfme-gemset-5.7.3.2-1.el7cf.x86_64.rpm
rh-ruby23-rubygem-nokogiri-1.7.2-1.el7cf.x86_64.rpm
rh-ruby23-rubygem-nokogiri-debuginfo-1.7.2-1.el7cf.x86_64.rpm
rh-ruby23-rubygem-nokogiri-doc-1.7.2-1.el7cf.x86_64.rpm
rh-ruby23-rubygem-ovirt-engine-sdk4-4.1.5-1.el7cf.x86_64.rpm
rh-ruby23-rubygem-ovirt-engine-sdk4-debuginfo-4.1.5-1.el7cf.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-4457
https://access.redhat.com/security/cve/CVE-2016-7047
https://access.redhat.com/security/cve/CVE-2017-7497
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZU826XlSAg2UNWIIRAgXrAJ9HCjbP80gzOppkmtahL7vQekt/MACfSq36
qFYw6SbKJhE/X8Puz55sPCU=
=klqZ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWVQ+Jox+lLeg9Ub1AQhY+g/7Bih5NstwpurMaiOqvhusVCkHiV7XiYgc
wn+XElPiEO4IX4z2Q1JkwFFyn13PPMUZ3K/LviU8tCr8Ur1IK5e6J9bICTeqeXpF
BtVEC+omwPlTUezXZBzaFhIIAAmw+J17F/JxyXHAuLkTceJ0OGddByAdRH5XLIKe
BaBovN8bxnCGNw2R2ZaBb2TXc5dEv/ulOzujtwGguYm6/NByoiBsiyx5K8q4zz5k
EIRRi9d9FgH6evSj7sTbbx6PYRPlGJb91yARNlr2h0gtZmZQvg5BcNZs5DdtEchO
dj+FOqldAhMTyweV8padh3lh+b1qLdGnTRS4+e6+UtY1s1z7oyZG4j2c91O6g8zQ
cMAaFonrUIV8HXdra25EuG2cdyB7v0k/5QLVKEBD5Zphmy3LS5EDXkzcrPv8rHo3
X0v1nh9uoweiiLbDwF+wDIKXmuR/KQsZsvYjllNzKphDYDOqMYm9fQ59VoUKYm4v
pmbrs24N0G42prp3AugUe3y8Q+Bpc0kaNLM4fEEbG/4b431jB/dTrTGUduqp5x3k
pO850hBSfY17e7XFN1G4HSCIyoTqHYc9pZixWob8T8mzHMNJCP6/KRUm8WlFkrD9
SbKFrbjqTkpqVNMI2eusQL5MvQn7XC5/ynw9zpBYZW91An6ilDa12xXpMCx5Q2YO
9hPc3H121No=
=hsh7
-----END PGP SIGNATURE-----

« Back to bulletins