ESB-2018.1855 - [RedHat] Red Hat CloudForms: Multiple vulnerabilities 2018-06-26

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1855
       Red Hat CloudForms security, bug fix, and enhancement update
                               26 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Red Hat CloudForms
Publisher:        Red Hat
Operating System: Red Hat
Impact/Access:    Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                  Root Compromise                 -- Existing Account      
Resolution:       Patch/Upgrade
CVE Names:        CVE-2018-7750 CVE-2018-1104 CVE-2018-1101

Reference:        ESB-2018.0862
                  ESB-2018.0801

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat CloudForms security, bug fix, and enhancement update
Advisory ID:       RHSA-2018:1972-01
Product:           Red Hat CloudForms
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:1972
Issue date:        2018-06-25
Cross references:  RHBA-2018:1109
CVE Names:         CVE-2018-1101 CVE-2018-1104 CVE-2018-7750 
=====================================================================

1. Summary:

An update is now available for CloudForms Management Engine 5.8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.8 - noarch, x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.

Security Fix(es):

* python-paramiko: Authentication bypass in transport.py (CVE-2018-7750)

* ansible-tower: Privilege escalation flaw allows for organization admins
to obtain system privileges (CVE-2018-1101)

* ansible-tower: Remote code execution by users with access to define
variables in job templates (CVE-2018-1104)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank Simon Vikström for reporting CVE-2018-1104. The
CVE-2018-1101 issue was discovered by Graham Mainwaring (Red Hat).

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1489507 - Simultaneous service catalog request do not honour quotas
1496902 - Can add ansible tower provider without validation
1500951 - Can't Save Role when Enabling All Product Features for Ansible folder of a CloudForms Role
1511030 - Updates to RHEV Host Causes Duplicate Names in CloudForms
1526156 - Can't configure Red Hat Dropbox for logs in a global region when a sub-region has one already configured
1531499 - Automation->Ansible is visible for multiple roles when it should not be
1532272 - Catalog dynamic element entry point selection is cached and does not allow selection
1533082 - Reset tag: Flash message duplication
1535369 - Cloud Subnet create form - 'Cloud Subnet details' title displayed twice, 'Placement' title (section) missing
1536684 - Tooltip on retire button blocks the click of options
1537132 - Miq Server leaks memory and we fail to detect and remediate it
1540579 - Deployment roles are missing on CFME 5.8.3.2 over RHOS 12
1541341 - Gettext strings should not contain interpolations
1541427 - Tag assignment: 'Reset' button doesn't work for vms, templates
1541700 - RHOS 12: Infra provider scale down is broken
1544488 - [UI][RHOS] - remove Edit and Delete actions when in the SDN list view
1549626 - webui updates failing when a proxy is required
1549723 - WebUI: Tool tip displays html code while setting the ownership for multiple vm's
1549833 - cpu_usagemhz_rate_average is 0 for RHV 4 VMs
1550116 - Subscription page fails when a remote database is down
1550276 - Getting Couldn't find MiqTask Errors in evm.log
1550715 - Stored C&U "CPU (Mhz)" values for RHV VMs are incorrect (too high) by a factor of two
1550729 - Replication configuration page does not open when child database is down
1550732 - [Ansible Embedded] - Embedded Ansible cannot be enabled on IPv6 only appliance
1550737 - unable to view quotas without manage quota permissoin being enabled in 5.8.2
1551627 - Automate code from git does not work for repositories without master
1551693 - internal server error ActiveRecord::AssociationTypeMismatch when editing current_group
1551697 - Colons are unhandled in BaseModel key generation in AzureArmrest
1551699 - Not possible to configure GCE provider for new regions (southamerica-east1) on CFME
1552135 - Openstack refresh fails if it finds non-public flavors
1552233 - [RFE] Ability to select OpenStack External external network during the instance provisioning
1552780 - Adding floating IP from OSP do not enforce tenancy limits
1552891 - Tagging: Edit tags page doesn't open for network list items navigated through parent details page
1552905 - The accordion folds after adding a schedule
1553225 - Set Ownership can not be changed back to default
1553249 - UI: Same icon used for multiple options on Cloud Tenants page
1553308 - Undefined method `vmm_version' for nil:NilClass on VM summary screen
1553331 - Using webmks console one cannot type correctly the password when it contains special characters
1553337 - Default view settings fails for service catalogs
1553364 - Add miqssh utilities
1553465 - Enhance credential missing msg/behavior for VMRC console access
1553473 - Region size of 10,000 Objects Supportable for VMware Provider
1554533 - Schedule report fails to send mail when report is not empty
1554543 - Long time to refresh network provider on OpenStack
1554900 - when deleting an archived node using configure > remove a unknown method error is raised
1555487 - Dynamic Dropdown Multiselect: By default selects an element
1556814 - symbol conversion error while detaching disks from an openstack instance
1557025 - [RFE] Amazon provider - Allow user to enable and disable instance_types
1557130 - CVE-2018-7750 python-paramiko: Authentication bypass in transport.py
1558032 - internal server error when accessing the "policy_events" attribute of the "vms" resource
1558039 - AWS flavor list is out of date
1558047 - OpenStack - Include Provider Error Message in MiqProvisionFailure
1558076 - Fix WebMKS/VNC console connectivity
1558595 - No event AWS_EC2_Instance_UPDATE  when renaming a VM on EC2
1558622 - RedHat domain can be edited/deleted
1559551 - Regression Instance Method check_quota Throws Error 5.8.2 to 5.8.3 undefined method provisioned_storage
1559553 - Api::ServiceCatalogsController timeout error in multi-regional environment
1560097 - Error occurs when trying to edit a catalog item
1560099 - Outgoing SMTP E-mail Server settings not saved on first attempt
1560693 - Stop CF pestering OpenStack for Swift status when there is no Swift.
1561077 - Duplicate RBAC Role and Group names allowed when using different capitalization from the original name
1562773 - tenant source_id compromisation after changing provider credentials
1562775 - Approval permissions are not followed between different groups
1562798 - CFME - usage of non standard special characters (e.g. accents) in password causes user is not able to login
1563492 - CVE-2018-1101 ansible-tower: Privilege escalation flaw allows for organization admins to obtain system privileges
1563721 - Differencing Disk on Network Drive Fails Smartstate if initial disk on Local DRive.
1563741 - ReconfigVM Event triggers a refresh_sync Holding Automate Process in State Machine
1564264 - Openstack::NetworkManager Refresh failed [NoMethodError]: undefined method `[]='
1564454 - [Regression] Unexpected error while opening Cloud Intel Timelines
1565157 - Unable to see realtime data from OpenShift in CloudForms UI
1565162 - Ansible playbook credentials always show default value in SUI
1565169 - openstack provisioning instance fail on checkprovisioned
1565248 - Service Template Provision Task Failing When Picked Up by Appliance in Wrong Zone
1565342 - [Azure]Provision Multiple VMs with Public IP selection options
1565358 - [RHV] VM Reconfigure: Down VM Memory increase fail on cannot exceed maximum memory
1565362 - SSA fails if disk has empty partitions in the beginning
1565364 - Smartstate on Azure Managed Linux Instance returns Unable to mount filesystem.  Reason:[XFS::DirectoryDataHeader: Invalid Magic Number 0]
1565365 - Unable to perform SSA if Vm storage is fileshare on SCVMM and throws error in evm.log
1565366 - VMware Edit provider has Host Default VNC start and End Port options, but Add Provider  does not
1565389 - Automate tree in the left pane has duplicates following any copy operation (instance, class, namespace)
1565403 - Creating buttons under the Datastore objects do not appear on Datastore Details Pages
1565414 - Total matches of Ems Cluster roles showing wrong count
1565678 - Container reports take too much time to generate
1565724 - vm reconfigure when quota enabled gets stuck in 'pending' state
1565760 - Automate: customize_request method in Redhat domain incorrect sets security_group value in options hash
1565835 - Role inconsistency with privileges when creating reports and setting chargeback filters
1565862 - CVE-2018-1104 ansible-tower: Remote code execution by users with access to define variables in job templates
1566256 - DRb 'close' error for closed connection
1566528 - Reporting worker exceeding threshold for default report tied to custom widget
1566746 - Dropdown to delete a "not responding" server is missing
1567983 - Middleware Provider Timelines Typo in Policy Events->Middleware Operation Description 'Tagret'
1568016 - notifications do not get cleared from the notification table
1568042 - CloudForms: Unable to perform "Exit Maintenance Mode" task of VMware host
1568045 - Control->Explorer is visible for evmgroup-security role
1568084 - Default Container Image Rate can be deleted
1568159 - User Interface does not come up after reboot
1568168 - Moving widgets to the bottom of a column fails
1568576 - Deployment template validation failed
1568603 - Git repo automate datastore refresh timing out upon credential change
1569079 - Getting Forbidden exception after ordering the service by non-admin user.
1569100 - Orphaned and Archived VMs displayed in running vms filter
1569104 - Online VMs (Powered On) report lists Orphaned and Archived VMs/Instances
1569118 - Apache Reloaded twice with logrotate
1569127 - We cannot backdate the schedule once you schedule it
1569171 - Help Documentation is only visible to users with super admin role
1569179 - ERROR : 404 when trying to set the retirement date of the service
1569230 - Missing Guest OS in dashboard reports in Openstack
1569237 - [UI] - ManageIQ string in PDF summary file for flavors
1569241 - Tagging: Edit tags page doesn't open for images opened from provider summary page
1570060 - [RFE] Metrics for memory usage of AWS instances is missing from C&U
1570951 - Service and VM retirement are non-deterministic, running parallel
1570990 - Service Catalog Item Subtype not rendered in UI
1571311 - Unable to select storage manager from drop down list through classic UI
1572621 - RHSM failing to register with proxy settings
1572719 - Provider Inventory worker vim.log fills up due to large log messages
1573540 - Dashboard widget is not providing exact content due to Type conversion Exception.
1574155 - Refresh Failing for VMware VIM object is too large
1574571 - OSPD 12 Undercloud - Infrastructure Provider  refresh failed
1574615 - [RFE] make available tags defined on the azure side on azure objects to cloudforms for reports
1576101 - total costs no longer showing in any chargeback report if they are the only columns in the report
1578575 - RHOSP11 metric collection stuck with error: Fog::Metric::OpenStack::NotFound
1578853 - Compliance check is greyed out under VM summary screen when VM is selected but not when you click on the VM.
1578866 - Error upon successful SAML login when username contains capital letters
1581387 - Dynamic dropdown doesn't refresh correctly
1583711 - Unexpected Error when accessing SERVICE -> REQUESTS (undefined method find_tags_by_grouping)
1583790 - UI Worker Exceeding Memory Trying to View Hosts for VMware Provider
1584187 - CPU Utilization report graph shows dates on x axis in random order
1584688 - refresh_target_for_ems is not running in one of our environments
1589834 - [RFE][XS-2] Add possibility to unregister a VM in RHV provider

6. Package List:

CloudForms Management Engine 5.8:

Source:
ansible-2.4.4.0-1.el7ae.src.rpm
cfme-5.8.4.5-1.el7cf.src.rpm
cfme-appliance-5.8.4.5-1.el7cf.src.rpm
cfme-gemset-5.8.4.5-1.el7cf.src.rpm
python-paramiko-2.1.1-4.el7.src.rpm
rh-ruby23-rubygem-json-2.1.0-1.el7cf.src.rpm

noarch:
ansible-2.4.4.0-1.el7ae.noarch.rpm
python-paramiko-2.1.1-4.el7.noarch.rpm
python-paramiko-doc-2.1.1-4.el7.noarch.rpm

x86_64:
ansible-tower-server-3.1.7-1.el7at.x86_64.rpm
ansible-tower-setup-3.1.7-1.el7at.x86_64.rpm
cfme-5.8.4.5-1.el7cf.x86_64.rpm
cfme-appliance-5.8.4.5-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.8.4.5-1.el7cf.x86_64.rpm
cfme-debuginfo-5.8.4.5-1.el7cf.x86_64.rpm
cfme-gemset-5.8.4.5-1.el7cf.x86_64.rpm
rh-ruby23-rubygem-json-2.1.0-1.el7cf.x86_64.rpm
rh-ruby23-rubygem-json-debuginfo-2.1.0-1.el7cf.x86_64.rpm
rh-ruby23-rubygem-json-doc-2.1.0-1.el7cf.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-1101
https://access.redhat.com/security/cve/CVE-2018-1104
https://access.redhat.com/security/cve/CVE-2018-7750
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWzD5qtzjgjWX9erEAQiK2hAAhOtZS0+zGTCALFpG25I5MaBun1/3J/CQ
F54hMVV9Bn8DPlmoliZb1ilnVdjddTMGCtvh/vJhu0dK/sBUcg6ROLsz6krIwKHN
nW3DPVeQzYNpOg8zkHlaTZ/8kVggaWFjl12SVv2ax7eRjviSDnquExWydcy3T+y1
aqrKDPyKHis+yPM/GjlzUXOskJwok4E0vAjCEjslrShR/RoBuoggMguVGOjzk7ti
6UN7EgpjkSNNuazIueJFNxYnO7y6+4JQr94+aEsF+em2VXZh/7kS2apM8jC8Qatt
gTjVCWelv8IvqVeqrPeQokl0m08V6jhn92JpTx3Btj80cwFNfPfgbMBvX5Awc6S7
MJPXLVAjff1EsXDriQGxTZaMs8XqKZzYuLGEM1bVLtyZ4PxqAispljljo2Pt4RaR
ovwVjZDludnprc/6JoNdT0QpA/kK7Q+Z6YAp4ndRRSLbpt69iuTPEKq2t0LgY7WT
uy2mPTZ7G9s+V6VKlLecHYpaf1/SZp0l5/XmQ5Np0BMNBLq67/yxBkQVpl0Pyp0i
2VAahnenpQ1ReZsGISj7ijVonnh+J5f3tczs0pAhQ/kaYsBnMbxle6d8PXxzA5KR
VfCYDJMM1tYIUWEGjanpImOwKZ+P+nyISTm1eMAtSvgwGXHqM527LVlW/scEz6ye
zlTUMlF4Lis=
=Pbnm
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWzGAmmaOgq3Tt24GAQjkdg/+MR8bOVh4QqK2QbgTUQgHNG1LOLJS9e7/
NvoY4pYjpxXPAeD7Vhwq8XIYBH24sKl7/lzlYNnqc6GfLZQISWAE5626Phebfygz
i0fNogm7Z1B1LHKO+xhqAgLQzXlghv3g+Dt6AJ/L5iThzj/WbJ+bBw3uxYWasKQ4
e064tnJOJaDgoPzY5ESbRYBo+1umWtDX79XpmWRcpBF6HRVhm4xAL1tvrOQUrIpE
aK7oP33qr4D+MKgfxwrHA+iiBjvXqg6GeQHlfhHbmjp5m2MZLLiNm+TUkyDX1WZb
O7iul4WgU3kAbITDxTDB3apdwaEIt1+ZX/GeqNXFkEw1a/2Af2XS04ZDK5xeRfCg
GNRm4+lgW1zoRD8TBjUHLuRO0NMme7NufiVAxcm5fEMw8zDZhFCtccEHMJR19CFN
0XJpycXvtSHYsPzxrB1C+FLs4CUpkAxW9IPKAfSXpTP9DJd371GCFtsnWoNiJph8
ngy31dn4Xe6fzKR+9v/uphA3OiIjZZBQ+NbQ2sMi9WQpHDuzBsvlZGmTxrKGkJVe
POrYqgTKttYVsK2/AHrp17bYWPiXaZgQ11sJiFxBYR5aUHKYtYRtZ+AowWxGCNps
HBitQfQ9Enn0qq0a8kDPm+CnbCun9QUK35OkdoN1DSQPJuby77RXmvT2NBGAsARS
700brSFjEBU=
=Fx9l
-----END PGP SIGNATURE-----

« Back to bulletins