ESB-2018.0588 - [RedHat] Red Hat CloudForms: Increased privileges - Existing account 2018-03-01

Printable version
PGP/GPG verifiable version

Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

  Important: Red Hat CloudForms security, bug fix, and enhancement update
                               1 March 2018


        AusCERT Security Bulletin Summary

Product:           Red Hat CloudForms
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-12191  

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Important: Red Hat CloudForms security, bug fix, and enhancement update
Advisory ID:       RHSA-2018:0374-01
Product:           Red Hat CloudForms
Advisory URL:
Issue date:        2018-02-28
Cross references:  RHSA-2017:3005
CVE Names:         CVE-2017-12191 

1. Summary:

An update is now available for CloudForms Management Engine 5.8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.8 - noarch, x86_64

3. Description:

Ansible is a simple model-driven configuration management, multi-node
deployment, and remote-task execution system. Ansible works over SSH and
does not require any software or daemons to be installed on remote nodes.
Extension modules can be written in any language and are transferred to
managed machines automatically.

Ansible Tower helps you scale IT automation, manage complex deployments and
speed productivity. Centralize and control your IT infrastructure with a
visual dashboard, role-based access control, job scheduling, integrated
notifications and graphical inventory management. And Ansible Tower's REST
API and CLI make it easy to embed Ansible Tower into existing tools and

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* A flaw was found in the CloudForms account configuration when using
VMware. By default, a shared account is used that has privileged access to
VMRC (VMWare Remote Console) functions that may not be appropriate for
users of CloudForms (and thus this account). An attacker could use this
vulnerability to view and make changes to settings in the VMRC and virtual
machines controlled by it that they should not have access to.

This issue was discovered by Gellert Kis (Red Hat).

Additional Changes:

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes
document linked to in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

If the postgresql service is running, it will be automatically restarted
after installing this update.

5. Bugs fixed (

1458929 - IE 11 on windows 7: On topology page entity icons are not displaying properly
1459190 - Block storage volume list configuration button attach/detach/delete actions are not working
1460377 - Missing Paginator on miq_request/show_list
1460815 - Formatting of Provider summary PDF file generated from provider summary page is very broken
1461164 - Attach/Detach volume to/from instance provides no flash message
1463422 - The 'Assigned Filters' setting in the Settings->Access Control->Groups->[group name] only applies to 'Hosts & Clusters', and not the Network providers.
1478518 - CFME reports VM migration passed when it fails on RHV side
1478520 - VM Migrate doesn't create notifications or log messages when migrations fail.
1479402 - [RFE] Support more Tower credential types
1479939 - Volumes: Get error while trying to edit cloud volume opened from availability zone page
1479940 - Volumes: Get 'Button not yet implemented' while adding tag to cloud volume opened from availability zone page
1481378 - Error provisioning VM, incompatible marshal file format
1481446 - Quota not using cloud volumes in requested resource calculation.
1487306 - Unable to perform any actions on cloud objects from list view when navigated to cloud tenants
1489697 - Missing servers in alert profile assignment screen
1490416 - Unexpected error message while adding new Cloud Subnet
1496900 - appliance_console crash when setting up standby node with no route to host
1496903 - Cockpit web console is not available for RHOS provider
1496904 - [AWS EBS] UI: "Configuration" for Cloud storage throws "Button not yet implemented" in flash message
1496907 - Others rendered as <Other(13)> on Utilization page of host/Cluster
1496908 - [Embedded Ansible] Show "Red Cross" Icon in notification instead of "Green Check Mark" if the Repo Addition is failed
1496909 - Duplicate flash msg at rates of chargeback
1496922 - Edit tags not working while navigating to instance through provider
1496925 - Custom Button does not display for Dashboard View of a Provider
1496930 - In block volume snapshot summary selecting volumes based on snapshot results in exception
1496931 - [Azure]Empty IPv6 configuration blocks Refresh of Azure Network Manager
1496932 - Refresh Failing - String Not Recognized Metric Type - OpenShift Hawkular
1496936 - retiring parent service doesn't retire child service
1496937 - VM Migrate gets an error sending completion email.
1496939 - Clicking x button in search box  doesn't remove the search
1496943 - No indication of which image is currently being scanned when selecting multiple images
1496945 - UI elements not loading and reporting widgets not showing data points
1496947 - Service Retirements (which work correctly) result in two separate emails to service owner
1496949 - Image SSA - image-inspector unable to pull image - pod_wait is not permitted at state finished
1497209 - User unable to login when role permissions restricted to Everything->Settings
1498506 - Wrong hover view after selecting Red Hat Insights in main navigation
1498511 - Hover view of main navigation disappearing for Compute/Infrastructure/[Networking]
1498516 - Wrong hover view after selecting Middleware/Domains in main navigation
1498518 - Hover view of main navigation disappears after selecting Services/Requests
1498525 - Scroll bar not appearing when looking at notifications
1498542 - date dialogs with "Show Past Dates" unchecked still allow selection of past dates
1498544 - Some Navigation menus are not highlighted
1498891 - Container Product Feature in a Role Required for VM Visibility Menu Box
1500029 - [RFE] widget import file; the page goes blank on custom report page
1500445 - WebMKS Console : Proxy Error
1500448 - WebMKS Console: Some Javascript Error
1500517 - CVE-2017-12191 CFME: VMRC plugin console grants users administrative access
1500808 - UI: infinispinner appears when clicking on Add or cancel button of copy report for Guest OS Information-any OS
1500954 - DetachVolume is missing in AWS EBS cloudwatch event catcher
1501475 - overwriting reports causes new runs of the report to not show data for some columns
1501481 - Edit cloud instance:Show parent and child VMs details for cloud instances too
1501524 - Ansible playbook service max TTL is always divisible by 100
1501897 - Container Providers -> Topology View raises 'capitalize' error
1503611 - Toast notifications missing error icon
1503639 - RHV provider VM Quad icon page: VM power 'reset' option do not fail as expected.
1504199 - RFE: Expose Disks in the ServiceModel through Hardware
1504775 - Wrong flash message displayed when import/commit widget
1505415 - Records with duplicate timestamp in metrics rollup table
1505456 - UI: PDF Download button is missing from the infra provider summary page (it is displayed for cloud providers)
1505501 - [DOC] Cannot copy a built in OpenSCAP policy
1505503 - container group creation\deletion rates are miscalculated for container projects
1505545 - HTML5 Console Does Not Display From SSUI/OPS UI VMWare
1505951 - Azure extra disk information of VM is not showing from CFME which prevents Chargeback calculation for the usage.
1506624 - compute.instance.exists events
1509008 - Global Region Widget doesn't have data
1509024 - "Orders" should be "My Orders"
1509378 - Error messages disappear when clicked or text selected.
1509391 - [REGRESSION][AZURE]Can't provision VM from private image
1509414 - Missing notification type icons in the Notification Drawer
1509419 - Queue workers are frequently querying pg_backend_pid
1509423 - [ja_JP][fr_FR] ON/OFF button varies in size on 'Manage quotas for Tenant'
1510054 - Do not purge session if there are no sessions
1510142 - Cannot ommit Compute->Containers->Containers from RBAC role.
1510175 - managed disks are not removed as part of azure stack retirement
1510241 - Filters under Job Templates do not work properly
1510564 - error while syncing openstack tenants : failed to save the new source_tenant
1510698 - chargeback filters selection issue
1511032 - VM retirement fails when using ovirt-engine SDK (V4)
1511125 - Unable to delete Cloud Network in Cloud Networks View
1511130 - CloudForms does not show region-level Utilization from "Optimize" -> "Utilization" menu
1511135 - 'Optimize > Utilization' only shows a subset of providers
1511142 - Wrong units of net_usage_rate_average in containers metrics
1511144 - Cancellation of 'Create New Host Aggregate' with empty values showing warning
1511147 - unable to scan lvm2 partitions that were thin provisioned under rhevm 4.1
1511196 - Typo or bug in openstack network_manager refresh parser.
1511502 - set_network_adapter method erroring out with undefined method `[]' for nil:NilClass')]
1511517 - When provisioning an Ansible Embedded playbook, dialog's service_name does not set the service name
1511528 - Group Filters: Selected host is deselected after group saving
1511548 - RHOS 12 tenants  are not mapped to CFME
1511595 - Several broken associations in container-related service models
1512661 - [RFE] [v2v] There are unsupported v2v operations, that could have been blocked at the v2v submit stage
1512665 - selection doesn't move along with added/copied Condition in Control->Explorer->Policies treeview
1512667 - Network deletion provided with no flash message
1512694 - Inconsistency between filled name and name in accordion of Provision Dialogs
1512695 - Unexpected error encountered while downloading pdf from configuration profile
1512706 - vmdb size constantly increasing 1+gb a day
1512728 - Azure - Disk properties missing or incorrect
1512955 - [v2v] Add a warning to user, in case trying to run v2v for windows VM, without installing the required drivers
1512967 - Smartstate Analysis Snapshot of Azure Managed Disks fails with "The value of parameter is invalid. (cause: 400 Bad Request) creating SSA Snapshot" if the disk name exceeds 60 characters.
1513124 - PG String Data Right Truncation error: Value too long for type character varying(255)
1513509 - Region was offline - after a restart region has lost all data
1513699 - unable to provision against SCVMM with "VMM is unable to perform this operation without a connection to a Virtual Machine Manager management server"
1514139 - Embedded ansible fails to start. Can't create credentials or add repositories.
1514184 - Chargeback report is not available after deleting linked task
1514570 - Changing cloud volumes in a service provisioning dialog still runs with original value.
1515367 - Ops UI service catalog list view displays a cube icon rather than the user's uploaded icon
1515402 - No flash message during duplicate class add.
1515407 - Inconsistency between customization template name and description while deletion
1515416 - VMware WebMKS Console: Does not support CTRL+ALT+DEL Input
1515426 - Button 'Save' is always disabled on Edit Subnet Page
1515483 - Azure Smart State on Windows VM throwing error "undefined method `[]' for nil:NilClass" in evm.log
1518357 - Container Image openSCAP compliance check doesn't response for several Images
1518368 - Duplicate Customization Template name doesn't show flash error message
1518372 - [RFE] Service pane service/explorer Unexpecting error encountered
1518374 - Quota - exclude orphaned VMs from used counts
1518383 - Unable to clone OSP template.Blank page displayed when clicked on clone template
1518392 - Chargeback rate assignment page doesn't show duplicate clusters
1518600 - Element Name must be alphanumeric characters and underscores without spaces
1519809 - setting certain types of filters can cause puma to consume all cpu
1519910 - Smart State Analysis doesn't show data in "Patches" and "Registry Entries" etc for Windows VM.
1519915 - Mismatch between cloud volume table and details
1519987 - Logging of the server process memory/cpu (MiqServer.log_status) is incorrect
1520541 - Multiple cloud volumes can't be added in Catalog
1520557 - error "undefined method `[]=' for nil:NilClass" while syncing against rhevm 3.6
1521036 - Azure NetworkManager refresh failure with "undefined method `source_address_prefix'" error
1522951 - Re-enable Web Console button.
1523402 - Classification validation errors in seeding keep server from starting
1523404 - VMWare WebMKS consoles do not proxy sessions as VNC sessions do in CloudForms
1523408 - C & U collection tab empty and fatal error appears in production log
1523771 - Attempting to collect power status during retirement can cause exception
1523773 - policy profile doesn't get selected in Policy Profiles when policy profile is clicked in one of timelines events
1523774 - Wrong project names on Ad Hoc matrics page cause to internal server error
1523777 - Access Control: No option to 'Delete selected Groups' when selecting multiple groups under Access Control EVM Groups
1523788 - Setting Start Page to Container/Explorer sets to URL to an invalid URL
1523851 - Azure Network Manager refreshes fail with 'undefined method `[]' for nil:NilClass' when executing parse_load_balancer_pool_members
1523855 - Prevent scaling down with scale provider
1524646 - Backport cloud_subnet API collections to CloudForms
1525092 - long loading times of the self service portal dialogs
1525551 - Provision Error "A specified parameter was not correct: spec. nicSettingMap.adapter.ip" under VMware after VM cloning from template.
1525563 - Drift analysis table shows double icons
1525583 - No event in timeline for the web console activity in RHV41
1526040 - Tagged Datastores in chargeback storage don't work
1526473 - Large MiqServer process leads to large generic workers that get killed
1527676 - SSUI: Error while adding to shopping cart: `Must specify a service_template_href for adding a service_request`
1530653 - Unable to set control policies for Kubernetes Events from OpenShift
1530708 - No ESX 6.5 platform filter
1530717 - Empty page on Cloud Volume page
1531146 - configuration options are not correctly being logged into last_boot.log and the evm.log
1531147 - Can't register RHSM or apply cfme updates through webui on IPV6 only appliance
1531156 - [RFE] VCloud provider log and debug option in adv config
1531161 - [Regression] Quota check for users errors out with "no implicit conversion of nil into String"  for service provisioning
1531177 - Got unexpected API result object Array
1531178 - Duplicate field called Type in Expression Field
1531256 - When provisioning an Azure instance and selecting NONE for the Public IP Address option a public IP is still assigned.
1531261 - Could not determine root drive letter on Azure Windows 2016 Datacenter VM
1531262 - Can not delete schedules from schedules details page
1531274 - UI of Adding a new group page is different in en_US vs non en_US language
1531554 - [Regression] C&U data can't be fetched for cloud providers
1531615 - C&U Host Graph: Drilling graph for VM with Group by some tag gives unexpected error.
1531618 - C&U Availability Zone Graph: Drilling graph for Instances with Group by some tag gives unexpected error.
1531619 - C&U Cluster Graph: Drilling graph for VM/ Host with Group by some tag gives unexpected error.
1532328 - Authentication issue for api/automation_requests call to Master in multi-region setup
1532854 - Smartstate request taking too long is killed because Worker Monitoring Code incorrectly thinks the busy Smartproxy Worker is not responding
1532857 - custom reports not visible to group/role that could see them prior to recent upgrade
1533167 - Unexpected error encountered while accessing policy event timeline in availability zones
1533169 - WebMKS Console: Toggle Full Screen button does not work on Internet Explorer 11
1533171 - [Regression] HTML5 Console: Toggle Full Screen button does not work on Internet Explorer 11
1534584 - Cloudforms: Event VMDestroy_Task does not exists under event list
1534589 - Quota fails when an active Service request contains an Invalid service_template.
1534591 - Cannot start worker service (evmserverd)
1534601 - [Regression] VM console button is wrongly disabled based on VMware Console Support Configuration from OPS UI
1536052 - Unable to browse VM Summary Screen with a NULL Custom Attribute name
1536672 - Memory Leak in MiqServer process
1537015 - [Embedded Ansible] - Credentials of SCM/Machine repository cannot be edited
1537145 - Edit tag page doesn't open for subnets and routers list opened from network details
1537284 - When provisioning VM in Azure, errors do not appear in UI for certain field
1538349 - [SCVMM] Destination placement_host_name not provided
1538350 - Tag: Restricted items can be selected in drop downs while creation/editing, which cause unexpected error
1538351 - Can't retire stack from details view
1539752 - [RFE] Naming Runs Before Parsed Dialog: Dialog Options missing via prov.get_tags or prov.get_option
1540699 - Selecting filter with "expression Service: Aggregate All Vm Cpus" results in exception
1541072 - After Openstack 10 triggers an "unknown" state on instances, when it recovers Cloudforms duplicates vms instead of recovering them
1542170 - chargeback assignment reset to <Nothing> if another container provider is assigned a rate
1542240 - Change VMware console api detection from vCenter to ESXi Host
1542577 - VMs powered event on/off and vms powered off RSS links are broken
1542741 - Object store objects and containers are not synched to CFME UI and swift manager refresh ends with errors
1543121 - service dialogs api calls create and edit inconsistency - cfme version
1543150 - Smartstate Analysis greyed out on workers not in a provider zone (webui zone)
1543172 - Quota - Active provisions calculations allow quota to be over allocated

6. Package List:

CloudForms Management Engine 5.8:




These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from

7. References:

8. Contact:

The Red Hat security contact is <>. More contact
details at

Copyright 2018 Red Hat, Inc.
Version: GnuPG v1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


« Back to bulletins