ESB-2018.2037 - [RedHat] Red Hat CloudForms: Access confidential data - Existing account 2018-07-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2037
              CloudForms 4.6.3 bug fix and enhancement update
                               13 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat CloudForms
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-10855  

Reference:         ESB-2018.1805

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:2184

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: CloudForms 4.6.3 bug fix and enhancement update
Advisory ID:       RHSA-2018:2184-01
Product:           Red Hat CloudForms
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2184
Issue date:        2018-07-12
Cross references:  RHSA-2018:1328
CVE Names:         CVE-2018-10855 
=====================================================================

1. Summary:

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.9 - noarch, x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security fix(es):

* ansible: Failed tasks do not honour no_log option allowing for secrets to
be disclosed in logs (CVE-2018-10855)

Red Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for reporting
these issues.

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the
References section.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1536677 - Simultaneous service catalog request do not honour quotas
1553227 - When editing ansible service catalog item the dialog radio button never appears
1553383 - [RFE] Switch default refresh to graph refresh for RHV provider
1553795 - [RFE] Move database maintenance to the application
1563745 - appliance console showing removed option db maintenance
1565845 - Service buttons do not attach $evm.root['service']
1565925 - The value that is selected in the drop down is not passed to the $evm.root
1566570 - If the external network provider is unavailable CFME network provider throws unfriendly exception
1569170 - Help Documentation is only visible to users with super admin role
1571303 - [Regression] Unexpected error while opening GCE details page
1572760 - OSPD 13 Undercloud - Infrastructure Provider Network Manager does not refreshed
1574154 - Refresh Failing for VMware VIM object is too large
1574569 - OSPD 12 Undercloud - Infrastructure Provider  refresh failed
1575713 - Unable to access the Help Documentation page due to "Authorization Error"
1576099 - total costs no longer showing in any chargeback report if they are the only columns in the report
1577247 - ansible-tower-setup installs several new non-Red Hat yum repositories
1578121 - [RHV] SSA is not retrieving file information from VM on RHV
1578124 - Incorrect storage type size in openstack cloud reports
1578125 - Cloud Volume creation error does not raise VM provision error
1578126 - VMDB backup is failing perhaps due to uninitialized constant MiqServer::WorkerManagement::Monitor::Dalli
1578388 - RHOSP11 metric collection stuck with error: Fog::Metric::OpenStack::NotFound
1578393 - Improving the error message of provisioning a VM via rest api with wrong vlan value
1578394 - openstack chargeback based on chargeback per vm does not show storage costs by storage types correctly
1578398 - Openshift container retirement
1578400 - Cannot create or edit report secondary (display) filter
1578856 - Compliance check is greyed out under VM summary screen when VM is selected but not when you click on the VM.
1578865 - Error upon successful SAML login when username contains capital letters
1578954 - Submit/Cancel buttons are not displayed on custom button dialogs for some service types
1578957 - Unable to restore database to any ha node in a cluster
1578964 - Create Volume failed: undefined method `my_zone'
1578972 - [QEDevCollab] C&U: discrepancy in rounding of data for Graphs and Table causing automation failures
1578976 - [Regression][Embedded Ansible] Ansible Catalog Item can be created without the Dialog
1578986 - "Choose" should be shown in 'tag control' dropdown default value , instead blank is shown.
1578990 - SUI does not show custom button dialog
1578996 - [RHV] When Graph refresh is ON, RHV provider refresh time is longer
1580520 - Adding interface to a router cause Unexpected error
1580535 - Refresh of a second dynamic dialog does not update the hash passed to $evm.object['values'] when another dialog is referenced
1581287 - [RHV] VM snapshot removal cause failure in RHV provider refresh
1581307 - When using dynamic multi select dialog elements the first element is always selected even if nil default is specified and it does not show up as selected in UI
1581386 - Dynamic dropdown doesn't refresh correctly
1583704 - default selection of dropdown list is not displayed properly but still taken into account
1583710 - Unexpected Error when accessing SERVICE -> REQUESTS (undefined method find_tags_by_grouping)
1583777 - VMware vCloud Provider's vApp Provisioning Reports Error When vApp Powered Off
1583779 - Tagging Ansible: Incorrect tag page opened for playbooks navigated through repository page
1583784 - xClarity: Wrong credentials and last refresh status when execute refresh cycle against a provider with invalid credentials
1583786 - chargeback reports based on vms with tags assigned show no records on generation
1583788 - UI Worker Exceeding Memory Trying to View Hosts for VMware Provider
1583851 - Ansible Job Times out at 300 seconds causing Automate State Machine to Fail
1584186 - CPU Utilization report graph shows dates on x axis in random order
1584296 - VMware vCloud Provider's Provisioning dialog should be split in three tabs
1584406 - prov.set_vlan() method didn't set the vnicprofiles  identifier
1584687 - refresh_target_for_ems is not running in one of our environments
1584699 - VMware vCloud Provider's VM should support hardware reconfigure
1585709 - Service dialog targeted element refresh is refreshing targeted items 22 times
1585745 - automation executed on field refresh are called twice in self service dialogs
1585821 - C&U data collection fails for GCE in 5.9
1586213 - Notification events are out of order
1588038 - RHV Snapshots: Reverting to "Active VM" throws "Cannot preview Active VM snapshot" in evm.log
1588042 - vm.hardware.nics[0].lan nil for RHV VMs
1588855 - CVE-2018-10855 ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs
1589837 - unable to export all service dialogs
1590346 - 400 Bad Request: When custom button used from infra provider object type with method and dialog both attached
1590353 - dropdown changed from dynamic to static won't hold values
1590426 - [Embedded Ansible] Service Details Page has duplicate tabs
1590430 - [RFE] Create a built-in policy to prevent source VM from starting if transformation is complete.
1590846 - [RFE] create database.yml when creating a dedicated database to allow local migrations when upgrading
1591422 - Proxy Error when performing advanced search
1591423 - Physical Infrastructure Compliance Policies don't have default event
1591425 - reading a dialog element from another dialog dynamic element fails until refreshing the dynamic element that reads the other dialog element
1591427 - Slow performance with displaying catalog order dialog
1591429 - CloudForms not collecting node level data from OpenShift
1591450 - unable to migrate from 5.6 to 5.9 due to to a database validation error
1591484 - Reconfigure service fields empty after deploying service
1591939 - Saved Report "2018-04-09 11:18:31 +03" not found, Schedule may have failed
1592414 - Not able to reconfigure VM
1592504 - [Regression] GCE provider refresh fails in CFME 5.9
1592852 - Grey background of grid view is styled differently in 5.9.2
1592913 - Changing number of UI Workers errors when using French or Japanese localization
1592973 - Domain prefix always included for Service Catalog Entry Points
1593677 - Chargeback scheduled report for the current month shows double rates and values as compared to previous one
1593684 - RHV provider full refresh fail on "undefined method `keys' for "<some guid>":String
1593797 - Lifecycle VM Provision and Publish VM to Template Unusable/Slow
1594027 - reports do not generate with timeout errors in logs
1594268 - Drop Down Dialog Does Not Honor the Order of Values as they are Inputted
1594275 - Users can see items which they don't have permissions/access to under services they own
1594324 - Must Refresh UI to see Correct Tags of Datastore of vCenter VMware Provider
1594386 - Unable to download largest chargeback report on production
1594831 - The specify host values textbox is limited to 50 characters
1594833 - User defined custom attributes are deleted by RHV targeted refresh
1594839 - RHV provider target refresh fail on "undefined method `cluster'", right after VM removal
1595324 - Cloudforms Automation not executing properly when multiple pods are created or killed in a short timeframe.
1595418 - Provisioning embedded ansible service dialog fails
1595734 - Regression Unable to Edit order of Drop Down List Entries when Editing Service Dialog
1596248 - Creating OpenStack Router with user in a Tenant  should list shared external networks
1596249 - Normal user cannot select shared OpenStack network during VM provision
1596314 - Openstack Volume Snapshots are appearing when we try to provision a instance via Lifecycle.

6. Package List:

CloudForms Management Engine 5.9:

Source:
ansible-2.4.5.0-1.el7ae.src.rpm
ansible-tower-3.2.5-1.el7at.src.rpm
cfme-5.9.3.4-1.el7cf.src.rpm
cfme-amazon-smartstate-5.9.3.4-1.el7cf.src.rpm
cfme-appliance-5.9.3.4-1.el7cf.src.rpm
cfme-gemset-5.9.3.4-1.el7cf.src.rpm
httpd-configmap-generator-0.2.2-1.1.el7cf.src.rpm

noarch:
ansible-2.4.5.0-1.el7ae.noarch.rpm
ansible-doc-2.4.5.0-1.el7ae.noarch.rpm

x86_64:
ansible-tower-3.2.5-1.el7at.x86_64.rpm
ansible-tower-server-3.2.5-1.el7at.x86_64.rpm
ansible-tower-setup-3.2.5-1.el7at.x86_64.rpm
ansible-tower-ui-3.2.5-1.el7at.x86_64.rpm
ansible-tower-venv-ansible-3.2.5-1.el7at.x86_64.rpm
ansible-tower-venv-tower-3.2.5-1.el7at.x86_64.rpm
cfme-5.9.3.4-1.el7cf.x86_64.rpm
cfme-amazon-smartstate-5.9.3.4-1.el7cf.x86_64.rpm
cfme-appliance-5.9.3.4-1.el7cf.x86_64.rpm
cfme-appliance-common-5.9.3.4-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.9.3.4-1.el7cf.x86_64.rpm
cfme-appliance-tools-5.9.3.4-1.el7cf.x86_64.rpm
cfme-debuginfo-5.9.3.4-1.el7cf.x86_64.rpm
cfme-gemset-5.9.3.4-1.el7cf.x86_64.rpm
cfme-gemset-debuginfo-5.9.3.4-1.el7cf.x86_64.rpm
httpd-configmap-generator-0.2.2-1.1.el7cf.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-10855
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW0dUcdzjgjWX9erEAQgfIxAApzbwJYyGKIwc7OAqP6qbn9lsVASiQTMT
ufQJx33VaZAYtfdt9GbTlkCcIX6QIojQBKt1nTQrq+ZzdhNVLpNvXF5kHMhrAhbE
sYWflpjnIWMOZe00WraCxUeePxNWatIKhhmnen0J4YhWV8k1mbTLL3sgwK5M+kxA
s3sr1pJtjd9E3OCXxSEOSQGD9LDrgaoW297toJx2zcKeI+Tb4TWy+zhBhsdAEfcW
25kwEIQPTCC764Z5M8wkbMxyWhc7ek/dRns6WpUloOdg+NlhsRvmGQl9DWKzmqob
XVMvdV0C8CtqXY4NHFfscvf3CmOZMGIZzhYJ3bW7uLl765eotAcWeTGbtbZE5eiO
1LAKnTWx44esbPre/7bUce7jibxHEhroq7T/hk0jlvgd02/vPJeY6JKSxKcYxiPn
WWEsruMeI/mKI6OuHbMIpB4Sp5pMPinjqKh/lv8uU1TtyyCxhPk34yJxoyGw7Zsc
Y4XH8yatyyoZnPMM4BygJG+EC2m6lHbUxA84SS75RV9CtFIMAbvtavOtC5xRb8rZ
A4ptn2FZTwz5vjxyfXVYpfc+FgEJReCLyMlw6+zvqPzo2xZe9nOz8FdxdcVLpfEf
xL/g/5QN1I3j7TiCww/XzrXnerSEjikQ9YKcamqEIzbv+IRQSBelZIwVZjiBlIVm
2QNuyZNbBj8=
=dJ6P
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW0flKGaOgq3Tt24GAQjOUg/9HcnCZVbQyBBmzJeSY4x7LPpdJMJ6o77s
K4YIQwuKivCWVkDsD4DkeyJjyDNkwUsGVw/6bC9F3DC1nERAsE97IijkM+09ho1u
BZ250uzYFe7ehT+ocU8UkySP5QmB+zl58IV/uYW2iciw6euswqvCEkODFV6fioSZ
vjxok+Rq+sP/4DFZP+H8vbqixe3MwGlBTkUQ7SRZNrC2jnv8mF5eahViJb7d54VM
GKwqQB025s0fleF+mfyruchFb9EKhhLMsFHdTwetPZg6OZDFj2RaIz/nJhImPf3g
/RdW1XkJENOGYzLIQQ9w8/iJU0dup+R7KvPVEyhmTUW2+L/tpBAn68XF2ST6YKa3
zN7Y8Rnj0ZCznhJwW/W/1fKAdktIZwDyqlfEi+eRZlEYJ6JMAxtRJuNimBiMxdSr
Lg9hvgB72PVYD7b1zVIeqh8o0ZesrK4Ry9H2q3VhjMu6yrvsesHaTkeoeZlCOEGt
CRUf2O6n+++Plx9nMm+0LgeOKEiEUVbthBOWp4Knp4OvSdJVtndhXsfdq45BzP+G
30RZVGr4c7+/TMI3YmMEIfuoNb8cZxt5Bcy4/A5z7nBBBj3AcWkXv6WkjgE/7MKm
MPGzFpLkIOrTxZT68+RxXwuXJky05ZVxTqFDpL0MtwMRxYZUXBv0ubTUsfeEzB3L
H9T3Ao/q15o=
=60U1
-----END PGP SIGNATURE-----

« Back to bulletins