Important: CloudForms System Engine 1.1 update

Synopsis

Important: CloudForms System Engine 1.1 update

Type/Severity

Security Advisory: Important

Topic

Updated CloudForms System Engine packages that fix multiple security
issues, several bugs, and add enhancements are now available.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Description

Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds.

This update fixes bugs in and adds enhancements to the System Engine
packages, and upgrades the system to CloudForms 1.1.

This update also fixes the following security issues:

It was discovered that Katello did not properly check user permissions when
handling certain requests. An authenticated remote attacker could use this
flaw to download consumer certificates or change settings of other users'
systems if they knew the target system's UUID. (CVE-2012-5603)

It was discovered that Pulp logged administrative passwords to a world
readable log file. A local attacker could use this flaw to control systems
deployed and managed by CloudForms. (CVE-2012-3538)

It was discovered that the Pulp configuration file pulp.conf was installed
as world readable. A local attacker could use this flaw to view the
administrative password, allowing them to control systems deployed and
managed by CloudForms. (CVE-2012-4574)

It was discovered that grinder used insecure permissions for its cache
directory. A local attacker could use this flaw to access or modify files
in the cache. (CVE-2012-5605)

The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat;
CVE-2012-3538 was discovered by James Laska of Red Hat; CVE-2012-4574 was
discovered by Kurt Seifried of Red Hat; and CVE-2012-5605 was discovered by
James Labocki of Red Hat.

After upgrading to these new packages, follow the instructions in the "4.1.
Upgrading CloudForms System Engine" section of the CloudForms 1.1
Installation Guide:

https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/index.html

To view the full list of changes in this update, view the CloudForms
Technical Notes:

https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Technical_Notes/index.html

Users are advised to upgrade to these updated CloudForms System Engine
packages, which resolve these issues and add these enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 i386

Fixes

• BZ - 746765 - Systems are locked out of katello and cannot re-register
• BZ - 753128 - Sync status remains in "error syncing" state even after successful sync of repo.
• BZ - 760180 - Notifications should note the appropriate Org for org-specific actions.
• BZ - 766694 - UI should show virtual child pools as "children" of the parent.
• BZ - 769559 - Subscribe system ignores "facts -> cpu.cpu_socket(s)"
• BZ - 782954 - Unable to register systems with i18nized names
• BZ - 786176 - (Some) duplicitous notifications produced in multiple langs when using other locales
• BZ - 786226 - List of product repositories not sorted alphabetically
• BZ - 787184 - Devise a disaster recovery plan (or process)
• BZ - 787305 - Notices with details breaking the "Notice List" page
• BZ - 789139 - Unmet dependencies for some packages
• BZ - 789535 - Systems: Cannot add Package Groups
• BZ - 790138 - Systems: hand-rolled systems cannot be initially created with a multibyte name.
• BZ - 790342 - Error in async task is not returned
• BZ - 796047 - SecurityViolation error while accessing gpg key details with read only user
• BZ - 796972 - translatable strings broken up, causing translation to sound wrong
• BZ - 797299 - Display which environment a system is subscribed to in its Details tab
• BZ - 797321 - Gigantic footer
• BZ - 797412 - katello permission not working as expected
• BZ - 799538 - promotions -> errata -> packages filter causes page reload on click
• BZ - 800529 - RFE: As a sysadmin I would like to manage a user's org from the CLI
• BZ - 801454 - Out of place/non-contextual error messages in prod log when creating new orgs
• BZ - 801580 - Updating sync plan does not update associated product's (repo's) sync schedule
• BZ - 802925 - Tool tip in activation key Details screen has markup visible
• BZ - 803548 - Async success notifications pop up from syncs in other orgs
• BZ - 803702 - Synchronizing a repo with i18n characters in name fails for second time
• BZ - 803728 - rpmdiff failure for build gofer-0.66-1.el6
• BZ - 803761 - rpmdiff failure for build katello-selinux-0.1.8-1.el6
• BZ - 804127 - [RFE] no logging property for Katello
• BZ - 804555 - Orgs with international chars in name provide broken urls in redhat.repo
• BZ - 804610 - Can't promote packages from repos with international chars in name
• BZ - 804685 - System Details/Packages, unclear what Packages/PackageGroups radio button does
• BZ - 805027 - Inaccurate system count
• BZ - 805412 - improper message - dot "." in org name being created
• BZ - 805627 - While create a new user, unable to select "Save User"
• BZ - 805709 - Package filter name is unique to entire system
• BZ - 805956 - SE doesn't provide a way how to refresh imported repositories
• BZ - 806076 - Promotion - viewing system template doesn't show the repos in that template
• BZ - 806078 - Changeset History - changing name of a set does not update left panel
• BZ - 806083 - Users - Environments tab is missing the 'Remove User' link
• BZ - 806353 - Sync Plans: Manually entering a time can cause time selector to get stuck on screen
• BZ - 806879 - Apparent discrepancy between Dashboard > System Subscription Status and Systems > All for hypervisors
• BZ - 806940 - RHEL 6.2 not completing sync
• BZ - 806969 - sync_plan creation is setting time 1 hour behind the chosen time
• BZ - 807288 - Selecting changeset from 'changeset history' tab raising "undefined method `find_repos' for #"
• BZ - 807291 - Adding a "bonus pool" to an activation key, then removing parent pool, causes errors
• BZ - 807468 - Only one manifest/product can be imported per system
• BZ - 807804 - Hidden user can be added to a role.
• BZ - 808172 - There should be some implementation of "katello --version"
• BZ - 808437 - [RFE] Don't make notifications for CLI actions performed (and pop them up in UI)
• BZ - 809259 - System not registering with activation key.
• BZ - 810378 - RFE - Search needed on repository selection during promotion
• BZ - 810945 - Unable to delete pools referenced by activation keys
• BZ - 811556 - Displaced 'save' button while editing the changeset description under "changeset history" tab
• BZ - 811564 - Switch default to false for "match system" when listing available subscriptions
• BZ - 812417 - System Properties for registered system lists "Arch" as blank
• BZ - 813675 - on "-v" rework seems `user list` lost the "Disabled" field
• BZ - 815308 - package filter: search for package starting "^" - traceback
• BZ - 815802 - Description on package filter does not save properly
• BZ - 816935 - RFE: Provide possibility to encrypt/obfuscate plaintext passwords
• BZ - 817123 - deleted system template not removed from activation key
• BZ - 818204 - Sync silently "cancels" on some (very large?) repos
• BZ - 818261 - candlepin-cert-consumer rpm not installable on RHEL5 - rpmlib(PayloadIsXz) <= 5.2-1 is needed
• BZ - 818370 - Changeset Fails to Promote with Candlepin RPM
• BZ - 819593 - RFE: Redirect /subscriptions/* to /katello/api/*
• BZ - 819941 - missing dependencies in katello-common
• BZ - 820373 - [RFE] Remove one of the two logout buttons in System Engine interface
• BZ - 820385 - [RFE] Make pulp aware of local/remote syncs
• BZ - 820624 - [RFE] Have PostgreSQL only listen on 127.0.0.1 instead of 127.0.0.1 and 0.0.0.0
• BZ - 820626 - Hide password and email creation fields at user creation time if LDAP auth is enabled in CFSE
• BZ - 820630 - String Updates
• BZ - 821345 - Promotions changeset of system template does not solve dependency of product
• BZ - 821644 - Create new CLI command admin crl_regen for recovery process
• BZ - 821929 - Typo: You -> Your
• BZ - 822119 - [cli] repo create without "http://" in url - python traceback
• BZ - 822484 - [cli] sync_plan list traceback
• BZ - 823688 - mouse cursor no longer turns to 'working' icon during ajax requests
• BZ - 824069 - katello CLI 'product list' should show marketing and engineering product relationships
• BZ - 824581 - GPG Key added to product/repo not added to existing instances which are subscribed to that product/repo
• BZ - 826581 - Hovering mouse from one top-level nav item to the next does not update 2nd level nav
• BZ - 827087 - Package sisu-cglib should not be built for RHEL6.x with a dependency on ant > 1.7.1
• BZ - 827108 - CLI reads "activation key" instead of "gpg key" for update in help.
• BZ - 828447 - CVE-2012-5605 Cloudforms grinder: /var/lib/pulp/cache/grinder directory is world-writeable.
• BZ - 828533 - katello agent AMQP port does not match /etc/services
• BZ - 829208 - Manifest import fail after creating a custom product
• BZ - 829437 - Hitting enter with blank field for GPG name returns JSON content
• BZ - 829794 - Trying to access many top-level menu items as a user w/ no rights throws ISEs rather than permission denied.
• BZ - 830176 - New System tooltip not localized
• BZ - 831664 - Repository sync failures not displaying detailed error in Notices
• BZ - 834006 - Templates: Package Listing in "Eligible Content" (sometimes) hangs/never renders
• BZ - 834013 - SAM is hiding the releaseVer variable from json causing subscription-manager-gui to disable the Release dropdown.
• BZ - 834242 - After user creation, the user name is not appearing in left pane.
• BZ - 834646 - IP Address for subscribed 6Server (6.3) system not displayed
• BZ - 834697 - Error in sasl_client_start when installing packages to subscribed client via web ui
• BZ - 835586 - UnicodeDecodeError: 'utf8' codec can't decode byte 0xe9 in position 270: invalid continuation byte
• BZ - 835591 - activation-key --limit not working
• BZ - 835875 - Runtime Error Could not execute JDBC batch update at org.postgresql.jdbc2.AbstractJdbc2Statement$BatchResultHandler.handleError:2,573
• BZ - 836339 - Total count of users is incorrect when looking at one's user profile page
• BZ - 836575 - 'ascii' codec error while assigning role to user
• BZ - 837000 - [RFE] when updating sync plan by CLI, it resets the interval.
• BZ - 839005 - remove the "force" checkbox from importing manifest
• BZ - 840616 - katello-configure --help optparse.rb:395:in `+': can't convert nil into String (TypeError)
• BZ - 840624 - Post creating new environment in headpin, webui returns row:NotFound error
• BZ - 840625 - Post 'import manifest' subscriptions return row:NotFound
• BZ - 841000 - Auto-complete field displaying json traceback if elasticsearch text is entered
• BZ - 841289 - inconsistency on system info: Katello-Candlepin: unresponsive "Systems" page
• BZ - 841300 - Zoom out on 2-Pane page causes rendering error
• BZ - 841310 - /api/pools does not work with admin
• BZ - 841686 - Selecting an organization from the Orgs selector shifts the org name to the left
• BZ - 841691 - Systems page always shows lo interface IP on list
• BZ - 841984 - Creating new user displays confusing/misleading notification
• BZ - 841998 - Login: Attempting to login w/o selecting org throws error
• BZ - 842003 - Content Search - Errata: Hitting submit on a blank search in the "Repos" div throws error
• BZ - 842005 - Content Search - Products: Hitting "Add" makes button bounce to next line
• BZ - 842010 - Content Search - Packages: Entering a string in Repos field and hitting enter returns error
• BZ - 842252 - [Content Search] When all packages/errata loaded, the link to 'show 25 more' should be removed/disabled from UI
• BZ - 842256 - [Content Search] The 'Show' drop down shows 'errata' as default selection even if user click on packages link to list
• BZ - 842271 - CLI: list the "bugfix" errata for system group shows empty result
• BZ - 842569 - UI - "Symbol as array index (TypeError)" Error when clicking on errata install result status "Install Finished" link for system groups.
• BZ - 842838 - Content Search: Compare - No way to remove packages/repos from compare, after adding them.
• BZ - 842858 - lock icon missing for promotions in review state
• BZ - 843059 - Content Search - Packages: Auto Complete widget should provide only refined content depending on Repos
• BZ - 843061 - Creating repo no longer works when Product name has multibyte text
• BZ - 843064 - Content Search - Products: Not required unless searching for Products itself, it's misleading when searching for Repos, Packages and Errata
• BZ - 843161 - Content Search: Compare - need tooltips or other methods to extend long lines in fields.
• BZ - 843165 - Content Search: Compare - Repo compare UI inexplicably expands to all/multiple environments upon return from Compare
• BZ - 843462 - system unregister should remove itself from the associated system groups too
• BZ - 843529 - UI - Error is displayed when clicking on system group event when system is missing.
• BZ - 843845 - Katello Webui dashboard does not render the pie chart (graph) in the appropriate location
• BZ - 844414 - Interstitial org selector leaves user with no permissions with no options
• BZ - 844417 - User roles selector missing Plus/Minus signs
• BZ - 844678 - "Multi-entitlement not supported for pool with id" with activation key and custom product
• BZ - 844796 - async import manifest import progress causing errors
• BZ - 844806 - katello incorrectly prevents products with the same name in an organization
• BZ - 845060 - UI - Errata search by empty type in content search loads endless.
• BZ - 845096 - Some types of notifications don't go away on their own
• BZ - 845198 - Locale cannot be switched
• BZ - 845224 - Pulp can't connect to qpid on RHEL 6.2
• BZ - 845576 - Subscription quantity button does not align with text
• BZ - 845580 - Subscription quantity button does not have caption
• BZ - 845613 - System status discrepancy between Systems list and selected system panel
• BZ - 845668 - Spinner never stops after adding system to system group on FF3.6
• BZ - 845995 - CLI: wrong error when activation key name or system group name is wrong.
• BZ - 846251 - CLI: message issue when creating system group with existing name.
• BZ - 846482 - Bunch of icons showing up in duplicate alongside changetset history details
• BZ - 846719 - "Disclaimer" and "Terms of Use" links go nowhere
• BZ - 847002 - Web pages fail to render all elements and colors correctly in IE8 and IE9
• BZ - 847115 - Extend scroll bug on content tab, with > 50 subscriptions only the first 50 will populate.
• BZ - 847858 - Blind Rescue causes Activation Key Pools to be Removed when an Exception is thrown
• BZ - 848038 - Locale files for CLI are not installed
• BZ - 849224 - The thin server on sam installations will listen on all ip addresses, should listen on localhost only.
• BZ - 850342 - As a user I would like the organization selector at login to provide feedback once I have selected the org I wish to login to.
• BZ - 850790 - Content promotion from CLI no longer works
• BZ - 851080 - CLI: product promote shows strange error
• BZ - 851142 - CLI: changeset update shows strange error
• BZ - 851512 - Selinux issue on /etc/candlepin/certs/* files preventing httpd to start
• BZ - 852006 - 'Type' field shouldn't be empty under 'changeset list' command and should show the changeset type e.g. (deletion/promotion)
• BZ - 852119 - Setting initial environment on org create no longer works
• BZ - 852167 - Alignment off in content search result tree
• BZ - 852199 - CVE-2012-3538 pulp: admin password logged in plaintext in world-readable katello/production.log
• BZ - 852316 - CLI: wrong query error is shown for "system tasks" command
• BZ - 852388 - [apidoc] No documentation for "remote" actions in katello/apidoc/
• BZ - 852791 - Button without label in Content search
• BZ - 852804 - Content search does not show results due to a JS error
• BZ - 853056 - Cli command "system register" without an environment returns "not found"
• BZ - 853229 - Regression in error notification when sync plan time is left blank
• BZ - 853356 - Syncronization raises an exception when package have a different name structure
• BZ - 853445 - trace-back upon adding ERRATA to deletion changeset
• BZ - 853995 - Error is incorrect for non-existing systems
• BZ - 854697 - After manifest upload fails with bad repo url, manifest can no longer be uploaded at all, even after url is fixed
• BZ - 855184 - Using --add_package gives undefined method `empty?' for nil:NilClass error
• BZ - 855267 - [RFE] in "product" CLI commands add new option "product_id"
• BZ - 855406 - rubygem-redcarpet should not be needed in runtime
• BZ - 856220 - Katello installer fails because Tomcat 6 is not up during seed
• BZ - 857078 - `yum update katello` fails: unpacking of archive failed on file /usr/share/katello/public/fonts: cpio: rename
• BZ - 857230 - [Content Search] Mouse over errata item displays error message in the web ui
• BZ - 857274 - Promotion stuck in "applying" status
• BZ - 857499 - When logging in user which has no permissions, user is told to choose an org, but obviously cannot.
• BZ - 857539 - Clicking the "contract" arrow in the org selector on the main UI does not contract the picker
• BZ - 857550 - ReST calls appear to be failing on Environment specific requests with 'NoneType' object has no attribute '__getitem__'
• BZ - 857574 - German locale seems to have been switched to Russian in the web interface and another language for the cli
• BZ - 857720 - Javascript error if selecting Org in Providers page
• BZ - 857727 - Uploading GPG key on multiple Orgs leaves web ui in bad state
• BZ - 857842 - CLI: "/usr/share/katello/script/katello-debug --notar" does not generate packages dir
• BZ - 858011 - CFSE tracker bug for object-labeling
• BZ - 858013 - katello-configure config option for KATELLO_JOB_WORKERS
• BZ - 858038 - Installer sets 2 thin processes no matter what
• BZ - 858193 - After uploading manifest, javascript error: TypeError: P.data("jsp") is undefined
• BZ - 858277 - Installer (tomcat6) fails due to bad dependency
• BZ - 858358 - [RFE] Hide password creation and Email fields at user creation time if LDAP auth is enabled in CFSE
• BZ - 858360 - [RFE] katello-upgrade should take care of stopping and starting services
• BZ - 858363 - katello-cli and katello-cli-headpin should now how to handle upgrading to prevent file conflicts over client.conf.
• BZ - 858661 - impossible to remove not promoted repo: "Repository cannot be deleted since it has already been promoted."
• BZ - 858678 - rhsm registering for duplicate name fails: ERROR: duplicate key value violates unique constraint "index_systems_on_name_and_environment_id"
• BZ - 858682 - Cancelling a sync shows success in the dashboard
• BZ - 858706 - Configuration breaks badly if certain AD variables are missing
• BZ - 858960 - [ALL LANG][CFSE CLI] Run 'kateloo --help' with no en_US.UTF-8 locale produced traceback: 'ascii' codec can't encode characters in position.
• BZ - 859329 - [CFSE GUI] Unexpected code is displayed in the error message when uploading an empty file or no gpg file to GPG Key.
• BZ - 859407 - Puppet exec timeout not honored during configuration
• BZ - 859415 - Simple org creation not usable
• BZ - 859442 - System Panel - System Group dropdown menu does not contain system groups
• BZ - 859604 - [CFSE GUI] Upexpected code is displayed in the 'undefined method...Click here for more details' message.
• BZ - 859784 - [GFSE GUI] Unexpected code is displayed in the message when exporting a system template.
• BZ - 859963 - Systems> $system > Content > Packages: Improperly encoded section header reads "&#9650"
• BZ - 860251 - CloudForms System Engine not using branded Red Hat favicon
• BZ - 860421 - subscription-manager refresh throws LdapFluff::FreeIPA::MemberService::UIDNotFoundException
• BZ - 860702 - Only systems belonging to Organization's groups will be shown on Systems page, if at least one system group is defined.
• BZ - 860709 - After upgrading CFSE Pulp is not working correctly
• BZ - 862441 - Answering 'N' to stopping services question during upgrade needs to provide correct information
• BZ - 862997 - navigate "content search --> Repository comparison", spinner doesn't stop when user click 'show 25 more'
• BZ - 863187 - failed to sync: ('Package [%s] does not exist', u'b017e5e0-6d3e-4a9b-b3bb-53f55fc3e209')
• BZ - 863252 - katello-selinux-enable throws error
• BZ - 864216 - IE8 IE9 Content Search Rows - no Arrow and no expansion (basically unusable)
• BZ - 864372 - CLI - some keys does not work in "shell"
• BZ - 864936 - Product labels are not currently required to be unique.
• BZ - 864999 - pulp doesnt handle errata spanning across multiple repos case
• BZ - 865528 - Incorrect credentials shows strange bug "string indices must be integers"
• BZ - 865811 - Pulp timeouts under load
• BZ - 869575 - changeset update --add_product: "More than 1 product found with the name or label provided ..." - but actually not
• BZ - 871086 - template export fails: "error: string indices must be integers, not str"
• BZ - 872096 - Configuration files after upgrade are not deployed
• BZ - 872305 - When importing manifest, Katello doesn't scope the client certificate to access CDN by owner
• BZ - 872487 - CVE-2012-4574 pulp /etc/pulp/pulp.conf world readable, contains default admin password
• BZ - 873850 - Cannot create a custom product without explicitly setting a label
• BZ - 874160 - [upgrade] 1.0 to 1.1 upgrades brings UI error on Organizations edit page
• BZ - 874185 - After 1.0 to 1.1 upgrade, seeing duplicated repositories in UI
• BZ - 874768 - [1.0.1 to 1.1 UPGRADE] Katello database failed
• BZ - 882129 - CVE-2012-5603 CloudForms Katello: lack of authorization in proxies_controller.rb
• BZ - 882138 - CVE-2012-5605 CloudForms grinder: /var/lib/pulp/cache/grinder directory is world-writeable

CVEs

• CVE-2012-5603
• CVE-2012-5605
• CVE-2012-4574
• CVE-2012-3538

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/index.html
• https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Technical_Notes/index.html