ESB-2018.1400 - [RedHat] CloudForms Management Engine: Multiple vulnerabilities 2018-05-08

Printable version
PGP/GPG verifiable version

Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

              CloudForms 4.6.2 bug fix and enhancement update
                                8 May 2018


        AusCERT Security Bulletin Summary

Product:           CloudForms Management Engine
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Root Compromise                 -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-7750 CVE-2018-1104 CVE-2018-1101

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Important: CloudForms 4.6.2 bug fix and enhancement update
Advisory ID:       RHSA-2018:1328-01
Product:           Red Hat CloudForms
Advisory URL:
Issue date:        2018-05-07
Cross references:  RHBA-2018:0556
CVE Names:         CVE-2018-1101 CVE-2018-1104 CVE-2018-7750 

1. Summary:

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.9 - noarch, x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* python-paramiko: Authentication bypass in (CVE-2018-7750)

* ansible-tower: Privilege escalation flaw allows for organization admins
to obtain system privileges (CVE-2018-1101)

Red Hat would like to thank Graham Mainwaring of Red Hat for reporting

* ansible-tower: Remote code execution by users with access to define
variables in job templates (CVE-2018-1104)

Red Hat would like to thank Simon Vikström for reporting CVE-2018-1104.

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Additional Changes:

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes
document linked to in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

5. Bugs fixed (

1495849 - [ALL_LANG] VM or Template comparison screen has untranslated entries.
1510499 - With RHV Graph refresh template numbers in Provider inventory does not get updated correctly.
1526086 - [ALL_LANG] Compute - Containers - Container Builds page has missing translations
1526088 - [ALL_LANG] Compute - Containers - Pods page has missing translations
1530680 - xClarity: EvmRole-operator unable to view physical server summary page
1530760 - [ALL_LANG] Control - Explorer - Policy Profiles - All Policy Profiles : 'Policy' is not localized
1533220 - [ALL_LANG] Control - Explorer - Actions - All Actions - Configure - Add a new Action : 'Action Type' drop-down menu has untranslated entries
1533233 - On Tag Assignment  page Category has other Tags than preconfigured for it
1533515 - [ALL_LANG] User Icon - Configuration - Access Control - Roles : Add new Role has untranslated entries
1538094 - [ALL_LANG] User Icon - Tasks : untranslated entry
1538100 - [ALL_LANG] User Icon - Configuration - Settings - CFME Region: Region xx[xx] has untranslated entry
1549625 - webui updates failing when a proxy is required
1549722 - WebUI: Tool tip displays html code while setting the ownership for multiple vm's
1550728 - Replication configuration page does not open when child database is down
1550730 - [Ansible Embedded] - Embedded Ansible cannot be enabled on IPv6 only appliance
1550736 - unable to view quotas without manage quota permissoin being enabled in 5.8.2
1551692 - internal server error ActiveRecord::AssociationTypeMismatch when editing current_group
1551696 - Colons are unhandled in BaseModel key generation in AzureArmrest
1551698 - Not possible to configure GCE provider for new regions (southamerica-east1) on CFME
1551703 - RHOS: Unable to delete cloud tenant
1552266 - Duplicated choice exist in new alerts view
1552269 - Network router type string contains ManageIQ path
1552278 - Authentication issue for checking status of Task API via EvmRole_administrator privileged User
1552282 - [RFE] Make Automation State Machine Log Lines Uniform
1552288 - [RFE] Metrics for memory usage of AWS instances is missing from C&U
1552290 - AWS Smartstate Does Not Fail Gracefully if AMI To run Analysis Agent is Unavailable
1552301 - Azure Template to service Dialog conversion issue
1552303 - [Azure]Provision Multiple VMs with Public IP selection options
1552305 - GCE Region is useless in GCE Provider
1552323 - xClarity:  server-host relationship to hosts managed by RHEV-M provider not created.
1552334 - Nuage provider name is always displayed as " Network Manager" on GUI
1552335 - EventCatcher is not restarted when Nuage provider is updated
1552671 - [RFE][XS-2] Add possibility to unregister a VM in RHV provider
1552673 - Cloudforms doesn't show IP of vms on vCloud provider
1552677 - VM does not have deletion event on its own timeline on vsphere55
1552704 - Default Docker Labels for Labeled Images in Chargeback Assignments
1552707 - Wrong error displayed when trying to add a group without a name
1552723 - Can't Manage Report Menu Accordions and Folders
1552735 - Filters not working properly in config mgmt configured systems
1552737 - UI: Broken bootstrapswitch design in custom button option of generic object
1552739 - [RFE] Expose Infra provider networks (RHOS) in host/node details
1552740 - [ALL_LANG] User Icon - Configuration - Settings - Schedules : Add a new Schedule page has untranslated entries
1552741 - Can't remove multiple instances or methods in UI.
1552743 - ui: Tabs switched When changing the System/Process type on add new button page
1552746 - typo in provider summary page: metrics type Hakular --> Hawkular
1552748 - [Embedded Ansible] Notification typo
1552753 - CFME Log lines in Diagnostics are divided into multiple lines
1552762 - Error when applying a filter in My Services from Adv search
1552763 - Remove Chargeback Rates field for Metering reports
1552776 - Auth MIQLDAP AD - miqldap_to_sssd conversion fails for ldap.
1552782 - Smartstate on Azure Managed Linux Instance returns Unable to mount filesystem.  Reason:[XFS::DirectoryDataHeader: Invalid Magic Number 0]
1552783 - Unable to add playbook repos after webui update
1552785 - Auth MIQLDAP AD - Users can't log in to console after miqldap_to_sssd conversion
1552790 - Validating credentials for replication throws error if pglogical schema not created
1552791 - miqldap_to_sssd help message is incorrect
1552792 - Auth External Auth SAML - Users with custom groups with special chars can't log in.
1552794 - A control alert for real time performance of a VM and Instance is not firing
1552796 - [RFE] Chargeback reports for OpenStack tenants
1552798 - [Providers] - Instances not linked after provider removal/addition
1552800 - Retirement requester is not passed down correctly to automate
1552801 - RBAC doesn't work for notifications
1552802 - No notification for failed registration
1552804 - configure_server_settings.rb changes numeric values to strings, causing failures when other code is expecting integers
1552809 - [RFE] Support RestAPI Primary Collection for Containers (object)
1552817 - SUI doesn't display costs for SCVMM services
1552824 - Can Add Duplicate Custom Attributes on OpenShift Provider Via the API
1552826 - internal server error when cloud_networks, cloud_subnets or security_groups subcolls requested on RHEVM
1552828 - internal server error when accessing attributes of the "picture" resource
1552838 - Targeted folder refresh doesn't work on VMware
1552842 - Customize vApp template prior provisioning (VMware vCloud Provider)
1552873 - RBAC Users can be removed from all associated groups after the webui shows the error "A User must be assigned to a Group"
1552879 - Tagging broken in Datastores and My Services page
1552880 - [RFE] There is no any indication in replication subscription screen for not accessible remote node
1552882 - The quad-icon tile for an OpenShift provider shows an exclamation mark, but a mouseover shows "Refresh Status: Success"
1552884 - Cursor on password field instead of username when we enter incorrect login details
1552886 - Unwanted comma in disk type string for Azure instances
1552889 - containers: identical volume name for different volumes in different pods is not useful for users (at least not admin)
1552890 - Tagging: Edit tags page doesn't open for network list items navigated through parent details page
1552895 - Error updating Nuage provider
1552900 - Title does not update when searching text in Datastores and other pages
1552903 - Automate tree in the left pane has duplicates following any copy operation (instance, class, namespace)
1552904 - The accordion folds after adding a schedule
1552908 - Add button is not responsive on Role add page
1553191 - Timelines: Throws an error while trying to access Cloud Intel/Timelines
1553197 - Configuration -> Red Hat Updates tab does not list all required repositories
1553214 - JavaScript-UI: Wrong behavior of `display on button` checkbox while editing custom group form
1553224 - Set Ownership can not be changed back to default
1553241 - Container add provider empty flash message when not catch UI exception
1553242 - Tag: All Catalog Items are listed in resource dropdown while creating Catalog Bundle using restricted user
1553243 - Save button isn't activated when date is removed in VM "Set/Remove retirement date"
1553244 - [QEDevCollab] Components in 'Add button group' form causing test automation failures
1553251 - Chargeback Rates page title incorrect after deleting rate
1553288 - Flash message icon is not correct Bottlenecks page
1553295 - Unable to perform SSA if Vm storage is fileshare on SCVMM and throws error in evm.log
1553304 - Evacuate Host failed
1553307 - Undefined method `vmm_version' for nil:NilClass on VM summary screen
1553309 - [RFE] Generic objects not displayed
1553311 - Wrong 'Fixed IPs' font size while adding a router with external gateway
1553315 - C & U Collection settings in configuration page improper styling
1553316 - On schedules pages is shown pagination from analysis profiles
1553317 - Broken footer in alerts
1553319 - [RFE][S-3] UI displays disabled domains for a instance's domain priority
1553322 - audit.log should not contain translated messages
1553323 - Adding Interface to Router with user in Tenant show all Subnets and not only the Tenant's Subnet
1553326 - Switch icon is missed on tag assignment page
1553327 - Stack Outputs icon is not displayed
1553329 - Using webmks console one cannot type correctly the password when it contains special characters
1553336 - Default view settings fails for service catalogs
1553340 - [CONDITION] When we leave description blank, there are two identical flash messages.
1553345 - Openstack infra provider dashboard should not appear for an openstack infra provider
1553362 - Add miqssh utilities
1553384 - [RHV] VM Reconfigure: Down VM Memory increase fail on cannot exceed maximum memory
1553389 - VMware vCloud Provider's VM is only partially stopped/suspended
1553392 - EvmRole-auditor can perform actions on VM
1553393 - [RFE] Add RBAC and Tagging Support to Ansible Credentials.
1553396 - [RFE] Add RBAC and Tagging Support to Ansible Repos
1553397 - Error while checking that migrations are up to date
1553399 - Normalize text for operational alerts
1553480 - SUI : Clicking any link on dashboard does not change the navigation in left side
1553482 - Kebab menu appearing differently on service page and resource detail pages
1553483 - Kebab menu changes structure after 30 seconds in SSUI resource detail page
1553768 - [RFE] Add RBAC and Tagging Support to Ansible Playbooks
1553776 - Role inconsistency with privileges when creating reports and setting chargeback filters
1553779 - Restricted user can see all group and users
1553780 - notifications do not get cleared from the notification table
1553789 - Unable to add tag for configuration provider from 'All Rad Hat Satellites Providers'
1553791 - xClarity: Physical server summary page download as PDF button not supported
1553836 - Visibility expression does not evaluated correctly on custom buttons for Generic Object
1553873 - Missing Datastore Images
1553903 - [Regression] Backup/restore failing on appliances using pglogical
1554358 - Graph refresh should not be used for rhv36 providers
1554370 - Wrong breadcrumb link on order screen
1554454 - Adding a physical provider shows as infrastructure provider (text change)
1554532 - Schedule report fails to send mail when report is not empty
1554541 - Long time to refresh network provider on OpenStack
1554823 - Infinite spinner on Edit Playbook Reset button
1554825 - NTP server details doesn't show in UI after adding a new zone
1554832 - Automatic placement causes cloud tenant to not be selectable
1554839 - Policy simulation results are not displayed
1554889 - OpenStack Cinder Storage provider detail does not have link to Volume Backups
1554898 - when deleting an archived node using configure > remove a unknown method error is raised
1554901 - Missing Guest OS in dashboard reports in Openstack
1557130 - CVE-2018-7750 python-paramiko: Authentication bypass in
1557353 - Adding a network router via CloudForms the router is not seen by CloudForms
1557361 - [RFE][XS-2]Cloudforms does not show node hostname, only GUID for OpenStack Infrastructure Provider
1557367 - Request not required when adding Schedule
1557378 - [UI] There is no indication of cloud network delete operation
1557380 - Tagging: Edit tags page doesn't open for images opened from provider summary page
1557388 - Inconsistent capitalization of 'CPU' when creating chargeback rate
1557391 - Physical Infrastructure provider quadicons doesn't support single view
1557400 - Physical server quadicon switch under My Settings doesn't respect RBAC rules
1558030 - internal server error when accessing the "policy_events" attribute of the "vms" resource
1558038 - AWS flavor list is out of date
1558040 - Not able to scan instances in AWS
1558046 - OpenStack - Include Provider Error Message in MiqProvisionFailure
1558048 - Provision fails if no Subnet assigned not Cloud Network
1558078 - [RFE][M-5] Targeted Refresh for Azure Provider
1558092 - Dropdown to delete a "not responding" server is missing
1558142 - Network provider quadicons doesn't support single view
1558144 - UI inconsistency - Size Unit title missing when adding a new disk
1558544 - Creating buttons under the Datastore objects do not appear on Datastore Details Pages
1558594 - No event AWS_EC2_Instance_UPDATE  when renaming a VM on EC2
1558610 - Images from the webmks css causes CSP errors in browser console
1558621 - RedHat domain can be edited/deleted
1558626 - PG::InvalidTableDefinition: ERROR:  cannot alter inherited column "resource_type
1559475 - CUI returning empty array when dialog without associations is saved
1559479 - [RFE] Add RHV Credential to Ansible Automation Inside
1559483 - CUI doesn't check dialog field associations
1559543 - [RFE] Metering Reports should provide Hours of Existence & Start and end time of VMs, Projects and Images
1559544 - [RFE] Collect Container Project Quota Historical data in Project Roll-up
1559550 - Regression Instance Method check_quota Throws Error 5.8.2 to 5.8.3 undefined method provisioned_storage
1559552 - Api::ServiceCatalogsController timeout error in multi-regional environment
1559609 - Amazon agent deployment has to choose the VPC which has attached gateway configuration
1559624 - Graph refresh does not fetch custom attributes
1560004 - [RFE] SCVMM provider refresh error message issue if provider user doesn't have access to VMM service
1560096 - Error occurs when trying to edit a catalog item
1560098 - Outgoing SMTP E-mail Server settings not saved on first attempt
1560100 - Total matches of Ems Cluster roles showing wrong count
1560104 - Automate Schedule: "Starting time" field saves nonsense.
1560692 - Stop CF pestering OpenStack for Swift status when there is no Swift.
1560699 - Consolidated RefreshWorkers may cause job starvation
1560703 - Refresh is broken for ec2 when get_public_images is set to true
1560708 - My Company(All EVM Groups) filter missing from reports schedule
1561076 - Duplicate RBAC Role and Group names allowed when using different capitalization from the original name
1561079 - [Regression]Error with report policy event for the last 7 days
1561085 - [RFE] Azure Network router not displayed on CFMe
1561091 - List view displayed instead of grid on Manage Policies screen
1561096 - Default selected tag name / value mismatch when assigning tags
1561107 - ERROR -- : AnsibleTowerClient::Middleware::RaiseTowerError Response Body: {"detail"=>["'username' is not a valid field for Vault"]}
1561216 - Failure to refresh on OpenStack provider when Fog::Storage::OpenStack::File object has nil body attribute
1561218 - [RHV] PXE provision with Network "use template nics" fail on creating VM
1561222 - ping feature inconsistent with webui ping when database connectivity is lost
1562075 - Duplicate values are shown in dialog dropdown.
1562235 - Nics are Provisioned out of Order for VMware Service Provision
1562772 - tenant source_id compromisation after changing provider credentials
1562777 - Approval permissions are not followed between different groups
1562779 - Cannot create service template using the API
1562780 - [SCVMM]Extract Running Processes completed Task List does not inform about Warnings.
1562782 - A state machine's on_exit method runs before the main method if the main method is an embedded Ansible playbook
1562785 - Refresh failed after performing vm_reconfiguration_task
1562788 - [Regression] RHV provider discovery doesn't work
1562791 - Database Replication broken for current and new regions
1562797 - CFME - usage of non standard special characters (e.g. accents) in password causes user is not able to login
1562800 - Schedule Operation: Cannot create schedule, "Add" button is not active
1562803 - [RFE] CFME, add Ansible GIT repository custom SSH port option
1562811 - No Advanced Search in Volume Snapshots/Backups
1563268 - CloudForms appliance is ignoring azure proxy settings in advanced tab.
1563351 - Nuage provider is unable to refresh inventory when subnets are missing gateway address
1563358 - Nuage Networks provider does not handle empty AMQP details
1563359 - Nuage Provider doesn't capture Alarms
1563361 - Nuage provider's event catcher yields "Too many open files" after 9 hours
1563363 - VMware vCloud Provider's inventoring fails because of bug in Disk parsing
1563364 - Support console access for VMware vCloud Provider's VMs
1563492 - CVE-2018-1101 ansible-tower: Privilege escalation flaw allows for organization admins to obtain system privileges
1563731 - in the conditions screen you see "Container Node" on the left but "Node" on the right
1563740 - ReconfigVM Event triggers a refresh_sync Holding Automate Process in State Machine
1565139 - Some expression method definitions can fail with "<Script error>" in a dialog and a stack trace in evm.log
1565140 - Embedded Ansible job_status .out files are not processed by logrotate
1565142 - Nuage Provider uses qpid_proton gem version without heartbeating
1565147 - Unable to create Cloud Network due to  undefined method
1565148 - Service gets submitted even if dialog does not passes validation
1565151 - Regression Custom Button Dialog Not Displaying Submit or Cancel Button
1565156 - Unable to see realtime data from OpenShift in CloudForms UI
1565160 - Ansible playbook credentials always show default value in SUI
1565167 - openstack provisioning instance fail on checkprovisioned
1565232 - OpenStack with bad credentials shows timeout
1565677 - Container reports take too much time to generate
1565686 - VMware vCloud Provider credential validation fails
1565756 - Remove specific EVM server from zone
1565862 - CVE-2018-1104 ansible-tower: Remote code execution by users with access to define variables in job templates
1566255 - DRb 'close' error for closed connection
1566526 - Reporting worker exceeding threshold for default report tied to custom widget
1566529 - Smartstate Analysis Schedule Fails for OpenShift 3.7 Container Images
1566530 - Report for Storage Capacity Field Generating Error Cannot Convert Hash to Float
1566541 - [RFE] Target Refresh support for OpenStack Block Storage Manager
1566557 - [Regression] Infra provider discovery doesn't work
1566562 - RHSM failing to register with proxy settings
1566563 - Cloudforms present blank page for backup volumes
1566568 - Appliances Missing from Global Region are showing a Zone ID of a Local Region
1566572 - ERROR ASCII-8BIT to UTF-8","klass":"Encoding::UndefinedConversionError"}}
1566577 - [AZURE]Filter list of available Public IPs
1566658 - [PRD][RFE] Ansible Next Gen - Playbook Seeding
1567278 - xClarity: Error while execute the second refresh cycle
1567962 - VMware vCloud Provider's VMs cannot revert from snapshot
1568023 - [Embedded Ansible] Standard Output throws error if Hostname has Non-ASCII Characters
1568091 - Catalog Item with Tag Control element cannot be ordered
1568156 - Not able to import certain dialogs because of tag Id
1568158 - User Interface does not come up after reboot
1568162 - DRO Service mapping to DRO instance incorrect
1568467 - Cannot put special characters in proxy password in Advanced Config
1568473 - Saving a service dialog with a multi-select drop-down populated by expression method gives a 500 internal server error
1568550 - CFME: OpenSCAP evaluation report target machine does not show container image name
1568559 - Deployment template validation failed
1568602 - Git repo automate datastore refresh timing out upon credential change
1569099 - Orphaned and Archived VMs displayed in running vms filter
1569103 - Online VMs (Powered On) report lists Orphaned and Archived VMs/Instances
1569113 - Apache Reloaded twice with logrotate
1569177 - ERROR : 404 when trying to set the retirement date of the service
1569236 - [UI] - ManageIQ string in PDF summary file for flavors
1569472 - In dynamic dropdown list, the default value contains ALL the values of the list
1569551 - Auto-refresh values take forever to load values in dropdown
1570118 - CloudForms 4.6 - filtering based on tags does not work for catalog items
1570821 - Unable to run ansible playbook method via Simulate
1570950 - Service and VM retirement are non-deterministic, running parallel
1570989 - Service Catalog Item Subtype not rendered in UI
1571310 - Unable to select storage manager from drop down list through classic UI
1571976 - Dynamic check box does not update in Classic UI
1571989 - droplist with large amount of items do not display a search field
1572711 - Automate Methods from Dynamic Dialog are being Run More than Designed / Expected
1572716 - Delay in rendering service dialog
1572718 - Provider Inventory worker vim.log fills up due to large log messages
1573215 - OpenStack Block Storage Manager Cinder does not refreshed
1573246 - Workload category for Tag Control element does not work
1573254 - auto_refresh being used instead of dialog field responders on later versions
1573539 - Dashboard widget is not providing exact content due to Type conversion Exception.
1573990 - in certain situations the refresh methods are called on every single refresh

6. Package List:

CloudForms Management Engine 5.9:




These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from

7. References:

8. Contact:

The Red Hat security contact is <>. More contact
details at

Copyright 2018 Red Hat, Inc.
Version: GnuPG v1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


« Back to bulletins