ESB-2017.2678 - [RedHat] Red Hat CloudForms: Execute arbitrary code/commands - Existing account 2017-10-24

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2678
  Important: Red Hat CloudForms security, bug fix, and enhancement update
                              24 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat CloudForms
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-12148 CVE-2017-11610 

Reference:         ESB-2017.2009

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2017:3005

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat CloudForms security, bug fix, and enhancement update
Advisory ID:       RHSA-2017:3005-01
Product:           Red Hat CloudForms
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:3005
Issue date:        2017-10-24
Cross references:  RHSA-2017:1758
CVE Names:         CVE-2017-11610 CVE-2017-12148 
=====================================================================

1. Summary:

An update is now available for CloudForms Management Engine 5.8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.8 - noarch, x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

The following packages have been upgraded to a later upstream version:
ansible-tower (3.1.5), cfme (5.8.2.3), cfme-appliance (5.8.2.3),
cfme-gemset (5.8.2.3), rabbitmq-server (3.6.9), rh-ruby23-rubygem-nokogiri
(1.8.1), supervisor (3.1.4). (BZ#1476286, BZ#1485484)

Security Fix(es):

* A flaw was found in Tower's interface with SCM repositories. If a Tower
project (SCM repository) definition does not have the 'delete before
update' flag set, an attacker with commit access to the upstream playbook
source repository could create a Trojan playbook that, when executed by
Tower, modifies the checked out SCM repository to add git hooks. These git
hooks could, in turn, cause arbitrary command and code execution as the
user Tower runs as. (CVE-2017-12148)

* A vulnerability was found in the XML-RPC interface in supervisord. When
processing malformed commands, an attacker can cause arbitrary shell
commands to be executed on the server as the same user as supervisord.
Exploitation requires the attacker to first be authenticated to the
supervisord service. (CVE-2017-11610)

The CVE-2017-12148 issue was discovered by Ryan Petrello (Red Hat).

Additional Changes:

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes
document linked to in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1439650 - Tenant and catalog information missing in Service Catalog Item Being Tagged
1459987 - Changes to timeout setting should not require evmserverd restart
1459996 - [RFE] Add support for virt v2v
1460754 - containers: containers analysis task results - user is system and owner is empty
1461061 - Add rate view option for counters in Ad-hoc Metrics
1465087 - Service template provisioning request do not honour quotas
1465089 - "Items" keyword in the dropdown list values of Default Items Per Page in my settings
1471709 - Default landing page is not showing "storage page" related options for custom made role
1476143 - CVE-2017-11610 supervisor: Command injection via malicious XML-RPC request
1477194 - AD with external auth, When doing group lookup for user group SID number is displayed instead of Group name
1477616 - Validation failed: Status is not included in the list
1477701 - Error caught: [NoMethodError] undefined method `[]' for nil:NilClass for REGULAR EXPRESSION MATCHES report
1477702 - UI: Unable to edit Compliance Policy Scope condition.
1478367 - 400 Bad Request Provision Error
1478372 - All start page entries must be updated to include the new navigation
1478379 - We do not check the base unit when creating the unit label
1478391 - Limit ansible playbook catalog item description
1478398 - Fields change in Advanced search in Automation -> Ansible Tower page
1478400 - Delete saved report button is not available on the configuration tab on report summary page
1478406 - Link to PV summary pdf broken
1478407 - [RFE] Create Backup for Cloud Volume should have force checkbox
1478409 - Error caught: [NoMethodError] undefined method `+' for nil:NilClass
1478415 - [Azure] User password limitations are not working correctly
1478418 - [RFE] Add support for VM "Restart Guest", for RHV provider
1478421 - Enabling Capacity & Utilization without filling C&U credentials generate repeated Errors in evm.log
1478428 - Default capture_threshold value for OpenShift object types is too low
1478429 - 'Ansible Tower' should not be mentioned in CloudForms notification when using Ansible Automation Inside
1478434 - prevent two miq servers from starting
1478435 - <Choose> found as option in drop down service dialogs
1478436 - Remote VNC/SPICE consoles lack logging when the remote endpoint is inaccessible
1478506 - inconsistent response when deleting nonexistent VM snapshot using API
1478508 - Not able to retire VM/instance via API unless "Set Retirement Date" feature is checked for role
1478510 - [POD] database.yml and GUID collected as link after log collection in podified appliance
1478513 - Configuration Manager name change not displayed
1478515 - Accessing the 'manager' association of a ManageIQ_Providers_EmbeddedAnsible_AutomationManager_Job service model gives a NoMethodError exception
1478523 - Productized border at top of page should be red not blue
1478526 - Unable to save trusted forest Settings
1478527 - CFME crashes in case of description field not found
1478529 - Tag|Ansible Job template| Page refreshes after try to navigate to template detail page from edit tag page
1478532 - In case system project not exsit, no filters load on Ad hoc metrics
1478535 - Boolean user input filter should be select bar to prevent exceptions
1478542 - SUI : Start/Stop operation on any service hides the top button menu bar
1478544 - After applying errata 5.7.3.2 some dialog field default values are missing in the self-service portal
1478554 - Not possible to refresh automate from GIT using API call
1478557 - Tag with Key 'Name' and a nil Value Breaks Refresh for AWS
1478558 - Container build pods are linked to build configurations from wrong namespaces
1478560 - RHV provider does not trust certificate authorities from the system CA database
1478562 - [VMWARE]Auto_placement provision into DVPortGroup fails on Virtual Center 6.5
1478563 - [RFE] Warning message on "admin" username during Azure provision
1478565 - Error generating reports after upgrading to 4.5
1478568 - Builds are connected to pods from different namespaces when builds have the same names
1478571 - Cloud volume operations are blocked by "Must filter on valid attributes for resource" error
1479367 - Provisioning to MS SCVMM Uses host.name instead of host.hostname
1479405 - [v2v] Drivers ISO filtering is broken
1479407 - Ansible inside Job times out even if the playbook is still running
1479409 - incorrect value used in stock automation wait_for_completion
1479414 - [v2v] Failures/Errors are not reflected at all in the Automate request messages
1479423 - Generic Service State Machine missing retry interval
1479437 - Azure inventory collection fails with missing instances for west-india region
1479453 - [v2v] operation always fail eventually, even in cases VM import was successful.
1479454 - [v2v] request timeout is very long (~2 days)
1479478 - VM Migrate State Machine does not correctly report migration errors.
1479481 - A deleted VM state do not change to Archived state
1479802 - Adding dialog for a new cloud volume doesn't show EBS storage manager
1479805 - Unable to provision against vmware with "multiple parents found" error
1479886 - After Applying ERRATA-RHSA-2017:1601 full refreshes are being trigged frequently
1479917 - Tag | Groups: Datastores is missing in "Host & Clusters" tree
1479920 - Hawkular verification - error message contains HTML tags
1479922 - The notification events are out of order
1479923 - [Embedded Ansible] - Unexpected error when clicking on Download summary icon
1479924 - Embedded Ansible worker has no icon in Diagnostics
1479925 - Button Group details page fields do not mention Group
1479926 - Button edit dialog title is incorrect
1479927 - Unable to perform power control operations on stack instance when navigated through stack summary page
1479929 - VM: Error when clicking on archived or orphaned VMware VM in VM explorer
1479931 - UX: Provisioning an ec2 instance image selection page has Type: "Image" splitted in two lines
1479935 - HTML5 Console: Toggle Full Screen Button Does not Work in Firefox
1479937 - Configuration Management Provider's Verify Peer Certificate setting doesn't get saved
1479938 - zones of sub region show up as zones appliances of a central region can move to
1479941 - Search field disappears when user clicks view selector after user input dialog on Compute->Infrastructure->All VMs page
1479943 - Adding an Automate Task schedule adds UTC to the last Attribute/Value pair
1479944 - User unable to tick the check boxes of the folder while assigning the Alert profile
1479959 - Unable to provision HyperV networking properly
1479972 - TypeError while refreshing a scvmm provider
1479976 - Refresh failed for VMware Provider in Cloudforms 4.5
1479978 - OpenStack cloud provider refresh error: Flavor <flavor id> could not be found
1479991 - Typo on Infra provider dashboard page
1479993 - Inconsistency between flash message when creating vs. deleting
1479994 - UI: "Unexpected error encountered" when Downloading report in text,csv and pdf format
1480000 - exception on attempt to open report with timelines "Operations VM Power On/Off Events for Last Week"
1480001 - [Embedded Ansible] URL is not validated while adding new Ansible Repository
1480002 - Broken navigation tree in the datastore details screen
1480007 - Provisions via Users in multiple groups in tenants in SSUI result in VMs being provisioned to wrong group/tenant
1480008 - Datasources Download .txt truncates host-name
1480286 - State Machine Changes when User Switches Groups During Provision in Admin UI
1480377 - [RHEVM]: VM snapshot: delete option is enabled, for Active VM
1480586 - [v2v] rephrase "Drivers ISO" label in the v2v dialog
1480588 - [v2v] Move the 'Transform this VM to RHV' option from 'Configuration' to 'Lifecycle'
1480589 - Reports type dashboard widgets cannot be minimized
1480654 - Duplicated users when changed the (upper,lower)case of letters of login name
1480734 - vm_retire_extend references vm.retirement which does not exist anymore, causing crash
1481296 - CloudForms REST API searching for reports by names that contain '>' fails with a '400 - Bad Request'
1481436 - In Utilisation graph for Pods and Containers the Rounding of metrics is inconsistant
1481437 - [UI] - Unexpected error encountered when switching to 'Cloud Intel' main tab
1481439 - Duplicate flash message in Optimize/Bottlenecks
1481442 - duplicate status messages when saving automate methods
1481445 - Ansible Automation: missing group id in manageiq payload
1481449 - Instance Type on Provision Instances remains empty after adding flavor which has disk size of 0
1481450 - Unable to provision against vmware due to "unknown method xsiType"
1481845 - Delete a Template in RHEV that a Catalog uses, no indication in logs or UI when Catalog Ordered
1481846 - appliance_console_cli doesn't handle ipa registration if the password has a '$' in it
1481849 - "Page does not exist"  when clicked on Service Catalog item breadcrumb link from stack page
1481851 - Internal Server Error when creating schedule for automate task
1481853 - Drop down history toolbar button on Import/Export report page is not needed, should be removed.
1482131 - Title displayed in add button page is wrong
1482136 - CFME OpenStack provider missing options to set VLAN or Segmentation ID
1482148 - Missing Icon of power state - migrating
1482170 - unable to provision against openstack with a volume attached
1482666 - Cannot edit Ansible Repository
1482667 - sat6 save button broken after changing rhsm details to sat6 setup
1482668 - prov.set_host fails on 4.5.1 (5.8.1.5.20170725160636_e433fc0)
1482669 - setting hostname through appliance console throws error on ipv6 only env
1482670 - Workers processing a miq_queue message that exceed the memory threshold aren't given enough time to exit gracefully
1484373 - Reports are not generated by API call
1484374 - Failure to collect metrics of Window instances on Azure
1484385 - Setting VM ownership on more than 100 VMs at a time causing server error status 400 bad request
1484424 - [Embedded Ansible] Failed Repository does not show up in All Repositories Table on /ansible_repository/show_list
1484539 - Custom button not passing target object to dynamic dialog fields
1484548 - [RFE] Add config option to skip container_images
1484608 - SUI : The VM status shows "retired" for all VM's ,retired or not.
1484613 - RHEVM Target Refresh Completes Even Though Storage Domain Error is Thrown
1484895 - Reports - pods per ready status - nonexistent pods presented
1484901 - [RFE] Include EvmRole-reader as read-only role in the fixtures
1484904 - Tower version 2 may fail refresh
1484956 - [v2v] 'Drivers ISO' field is not removed when 'install drivers' is unchecked.
1484984 - [RFE] The azure image as built cannot be used in azure.
1485474 - CVE-2017-12148 Ansible Tower modification of git hooks in SCM repo via upstream playbook execution
1486351 - Service order request for VM provision from template fail on  SSL Certificate verification
1486474 - Locale dropdown menu does not have Portuguese
1487283 - Refresh fails: undefined method `[]' for nil:NilClass in `parse_image_name'
1487320 - Unable to access filter tab while Editing chargeback for projects report
1487689 - duplicate users get created from ldap logins
1488967 - Need to verify that SSA works with Azure Managed Storage
1489974 - Unable to login to Amazon account.
1491310 - Smart state analysis on a running vm on Azure doesn't work
1492840 - [UI][Services] - Not all catalog items shown in Service catalogs accordion tree
1493207 - Add miq_provision_quota_mixin to Service Template Provision Request service model.
1494561 - Save only used OpenShift images with labels/tags
1496912 - Proxy configuration does not work in restricted IPV6 only environment
1496946 - setting a dynamic dialog to "required = True" is not saved
1497746 - Editing Name of a Category via API breaks Chargeback Assignments
1497817 - Appliance doesn't start after upgrading from 5.7.4.0 to 5.8.2.0
1497835 - Tag/Networks: Cloud Network list is available for restricted user, if Network manager was tagged
1498230 - [Regression] appliance_console not enabling all required SCAP rules.
1498556 - Azure Smart State on Image results error "Unable to mount filesystem.  Reason:[undefined method `split' for nil:NilClass" in evm.log
1499868 - DB/LDAP User is not able to log into SSUI
1500049 - Cannot add Azure provider to CloudForms 4.2
1500051 - Azure refreshes fail with [NameError]: wrong constant name $default
1500053 - Cloudforms AWS image with Azure provider fails to discover entire environment
1502738 - Dynamic refresh ignored on Service Dialog elements if clicking submit without clicking out of refresh trigger element first

6. Package List:

CloudForms Management Engine 5.8:

Source:
cfme-5.8.2.3-1.el7cf.src.rpm
cfme-appliance-5.8.2.3-1.el7cf.src.rpm
cfme-gemset-5.8.2.3-1.el7cf.src.rpm
rabbitmq-server-3.6.9-1.el7at.src.rpm
rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.src.rpm
supervisor-3.1.4-1.el7.src.rpm

noarch:
rabbitmq-server-3.6.9-1.el7at.noarch.rpm
supervisor-3.1.4-1.el7.noarch.rpm

x86_64:
ansible-tower-server-3.1.5-1.el7at.x86_64.rpm
ansible-tower-setup-3.1.5-1.el7at.x86_64.rpm
cfme-5.8.2.3-1.el7cf.x86_64.rpm
cfme-appliance-5.8.2.3-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.8.2.3-1.el7cf.x86_64.rpm
cfme-debuginfo-5.8.2.3-1.el7cf.x86_64.rpm
cfme-gemset-5.8.2.3-1.el7cf.x86_64.rpm
rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.x86_64.rpm
rh-ruby23-rubygem-nokogiri-debuginfo-1.8.1-2.el7cf.x86_64.rpm
rh-ruby23-rubygem-nokogiri-doc-1.8.1-2.el7cf.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-11610
https://access.redhat.com/security/cve/CVE-2017-12148
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html/release_notes/index#red_hat_cloudforms_4_5_2

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZ7obfXlSAg2UNWIIRAqPrAJ4+V6vCPvuuA5uZXoIaMnmU+stPdwCggCdG
Iauqp+TU+nVpaAmy4D675Ic=
=QGyU
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWe6eAYx+lLeg9Ub1AQgwaw//QWl6Hu6PDLkvJk3GAOJTlzktCfqmxe5x
koim0pEqWMHucpmYoRDBxt4jzv+wDtUNZKAzXWnNvRSyS0AkEDYjcrS4hY7RLPX8
ALDV5BRiwK5+3Ai8cuxWHswSC50u5VS5ywh/GkXcn3YVhcfTn8cjKdNnx6pNHUaH
i4QlLNL6zDev9rLq1+A0IgxK+a1ClZ7JUqmHZf5xOh+U4fiSXt+2jeVpJa/bnpyI
RHZq5M+DWMmDIx79g0NJr1Pd9EWBwJxJ4By0ngBohTIysBezkDZeG5Tmv2HUYW5d
F5OhVdpoZslHwXM//0KWhLauylAxpdcqEnoqhwcnpyHMsRhVDCu/p4ExCbKozHGA
nPlBQQR4+ASc3lieOGhqj+dRo3c3Fm9LUDSo9NLM290vraqG+JxkehXMOa3AA2nO
vHtUjUJ5ki8T6lFwL04lICgitSrBVQYFbhrRgG+FQ8QuHtvL5tN8Hl6x7gNf8Z6e
SfoVZCdBSLzp2SxNjeSUCFTYo9oFYEsQvlJvFILNd1kanQS1AL2fGspXAbR9DuwU
vGC3jQfhnXqNcM9ePPH+kpoWhWogXc7csl8Kxi3oClyx2Emo/SRcgfLtgnjAHBxQ
pSuLRADy7rEybD4LNRskz+YA4++WeKfJFaJ/MXymH4vKtuU7fI0urlcR46PamfMa
KanfNhhCRwY=
=4/eF
-----END PGP SIGNATURE-----

« Back to bulletins