ESB-2018.3870 - [RedHat] CloudForms 4.6.6: Multiple vulnerabilities 2018-12-14

Printable version
PGP/GPG verifiable version

Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

   Important: CloudForms 4.6.6 security, bug fix and enhancement update
                             14 December 2018


        AusCERT Security Bulletin Summary

Product:           CloudForms 4.6.6
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Increased Privileges            -- Existing Account
                   Access Privileged Data          -- Existing Account
                   Create Arbitrary Files          -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-10925 CVE-2018-10915 CVE-2018-1058

Reference:         ESB-2018.3518

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA256

                   Red Hat Security Advisory

Synopsis:          Important: CloudForms 4.6.6 security, bug fix and enhancement update
Advisory ID:       RHSA-2018:3816-01
Product:           Red Hat CloudForms
Advisory URL:
Issue date:        2018-12-13
Cross references:  RHSA-2018:3466
CVE Names:         CVE-2018-1053 CVE-2018-1058 CVE-2018-10915 

1. Summary:

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.9 - x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* postgresql: Certain host connection parameters defeat client-side
security defenses (CVE-2018-10915)

* postgresql: Missing authorization and memory disclosure in INSERT ... ON
CONFLICT DO UPDATE statements (CVE-2018-10925)

* postgresql: pg_upgrade creates file of sensitive metadata under
prevailing umask (CVE-2018-1053)

* postgresql: Uncontrolled search path element in pg_dump and other client
applications (CVE-2018-1058)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank the PostgreSQL project for reporting
CVE-2018-10915, CVE-2018-10925 and CVE-2018-1053. Upstream acknowledges
Andrew Krasichkov as the original reporter of CVE-2018-10915; and Tom Lane
as the original reporter of CVE-2018-1053.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

If the postgresql service is running, it will be automatically restarted
after installing this update. After installing the updated packages, the
httpd daemon will be restarted automatically.

5. Bugs fixed (

1539619 - CVE-2018-1053 postgresql: pg_upgrade creates file of sensitive metadata under prevailing umask
1547044 - CVE-2018-1058 postgresql: Uncontrolled search path element in pg_dump and other client applications
1609891 - CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses
1610547 - [v2v] [RFE] Migrating VM with multiple DPG's fail to get assigned with correct NICs on RHV
1612619 - CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements
1618836 - Changing action order in catalog bundle removes resource
1623562 - [RFE] Don't show allocated IPs in dropdown while assigning floating IPs via CloudForms
1634809 - Button enablement and visibility by tag not working for buttons on Ansible services
1635034 - In the self service portal, reconfigure service shows "No Provisioning Dialog Available"
1635255 - Reports do not run when submitted through a UI which does not have reporting role on.
1635759 - Buttons not sorted in button group on Ansible Service
1635788 - Reverting snapshot fails for OpenStack instances
1638501 - Cannot login with an uppercase letter in username
1639351 - WebSocket push notifications no longer work in SUI
1639353 - [URI::InvalidComponentError]: bad component(expected host component):   Method:[block in method_missing]
1639364 - Cannot change appliance name
1640194 - Service Dialogs are slow
1640258 - Update miqssh utilities.
1640629 - Variables field in provisioning a new service catalog item (Ansible playbook) changes when typing information into it
1640631 - User ID for Service Retirement Task Changes During Retires When First Retirement Fails
1641771 - Copying a custom report from a custom report menu changes source report name
1643042 - [RFE][Providers][RHOS] - Some flavors not visible in Instance Type dropdown when creating instance
1643261 - Unable to retire service via Global region
1643263 - Custom button[Template/Image]: after dialog execution not return to Detail page
1643539 - Validation failed: Description is not unique within region 1  Method:[block in method_missing]
1643959 - Custom Operator Role Can Edit Tags from Datastore Tab but not Through Provider > Datastore
1644410 - syncrou.manageiq-automate : Initialize the Workspace failed
1645198 - Unexpected error encountered when trying to cancel SSA scan task
1645204 - Custom Button: Navigation with relationship table breaks button display on destination.
1646435 - Prevent Service Ordering directly from REST-API
1646561 - The Server Name and Zone Name in the configuration page is blank upon visiting.
1646564 - Bad UI after adding a schedule for report
1646571 - Embedded Ansible: Wrong message in Notifications
1646599 - need to choose date two times in timepicker to take effect
1646604 - Button to start an ansible playbook does not work under self service portal
1646605 - Custom buttons that utilize dialogs with dynamic elements not do not populate from service UI
1646606 - Getting CORS error while creating quotas via javascript
1646613 - Extra buttons on Container Provider page
1646629 - Embedded Ansible needs a retry interval. We are currently setting limit and not interval.
1646646 - Azure refresh fails with [NoMethodError]: undefined method `sku'
1647056 - Memory peak usage of allocated for collected intervals (30 day average) field does not generate within report
1647108 - Infrastructure mapping not available shown incorrectly on Migration Plan
1647188 - unable to edit tags on an infrastructure host
1647489 - [Containers] Cannot Validate Metrics Endpoint for OCP Provider
1648674 - Unable to update Cloud Volume using CFME 5.9 with OSP 14
1648948 - Tags responding to `show` with true and having no classification produce 500-level errors for URL of `/api/tags?expand=resources&attributes=category,categorization`
1648955 - No registered resource provider found for location 'germanycentral' and API version '2014-04-01' for type 'virtualMachines'
1648991 - [RFE] Setting Retirement for a Service in Global Region Does Not get Replicated to Local Region
1649033 - Roles with SUI privileges can't access Services, Orders in SUI in empty appliance
1649380 - Dynamic Dropdown Multiselect: Default element is blank when loaded by another element
1649419 - SUI permissions not showing catalogs and not hiding snapshots menu
1650691 - Setting retirement date for Service via Centralized Administration raises InterRegionApiMethodRelayError
1651291 - [Regression] Static Dialogs are not Populated when Submitting API Requests for Service Catalog
1651347 - Amazon API filter limit breaks targeted refresh for more than 200 items
1651391 - Orchestration catalog items cannot be submitted because of tenant error
1653417 - CFME should not assign flavor id in OSP provider.
1653710 - Internet Explorer (IE) not able to login to CloudForms
1654436 - Remove_from_disk method is leaving VMs in an Orphaned State for VMware Provider
1654463 - Memory utilization by node is incorrect in Provider Overview page
1655081 - Catalog bundle resources not retiring
1655143 - cfme upgrade 5.8 --> 5.9 not working as it requires rh-ruby23-ruby(release) < 2.3.7
1655773 - Service not showing VMs belong to
1656168 - ansible tower items are not listed when part of service bundles
1656169 - retirement of the parent service does not retire child catalog items

6. Package List:

CloudForms Management Engine 5.9:



These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from

7. References:

8. Contact:

The Red Hat security contact is <>. More contact
details at

Copyright 2018 Red Hat, Inc.
Version: GnuPG v1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


« Back to bulletins