Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Moderate: cfme, cfme-appliance, and cfme-gemset security, bug fix, and enhancement update

Related Vulnerabilities: CVE-2017-2653   CVE-2017-2653   CVE-2017-2653  

Source

Synopsis

Moderate: cfme, cfme-appliance, and cfme-gemset security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update for cfme, cfme-appliance, and cfme-gemset is now available for CloudForms Management Engine 5.7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

Security Fix(es):

  • A number of unused delete routes are present in CloudForms which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute. (CVE-2017-2653)

Additional Changes:

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Technical Notes document linked to in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat CloudForms 4.2 x86_64

Fixes

  • BZ - 1386342 - [RFE] it's impossible to Provision VMs if VMs view is opened through Providers or Clusters,etc. views
  • BZ - 1393438 - Advanced search not displayed in Config mgmt
  • BZ - 1395722 - [Config management] - Advanced search not functional
  • BZ - 1395866 - New provider input field lengths are inconsistent
  • BZ - 1396237 - Middleware - Datasource deletion - More informative message.
  • BZ - 1396579 - UI: Task status icons are not aligned properly
  • BZ - 1402995 - do not render service start/stop buttons (and status field?) if start and stop actions are missing
  • BZ - 1411477 - Heat Template provisioning does not honor Tagging filtering
  • BZ - 1414003 - RFE - Azure Orchestration Service Retirement does not delete VMs
  • BZ - 1416819 - AWS Region ca-central-1 missing from Cloud Provider configuration
  • BZ - 1416827 - In datastore clusters selecting storage cluster does nothing
  • BZ - 1416836 - Unexpected error encountered while Viewing Full screen report
  • BZ - 1416894 - Duplicate folder names between host & vm/templates causes placement issues
  • BZ - 1417757 - CF fails to provider discover RHV4.0
  • BZ - 1417762 - Impossible to open a condition from a condition list
  • BZ - 1417763 - Snapshot link in vm summary page becomes inactive on deleting a snapshot and viewing its history
  • BZ - 1417779 - Clicking on the Policy Event link doesn't take you to the event page
  • BZ - 1418066 - ActionController::RoutingError (No route matches [GET] "/client/assets/images/cockpit.png")
  • BZ - 1418221 - "ExtManagementSystem" string in Provider policies
  • BZ - 1418815 - Wrong provider condition title in the tree
  • BZ - 1419603 - Getting undefined method with_interval_and_time_range errors in evm.log
  • BZ - 1419694 - Catalog Item Long Descriptions allow the user to override UI styling
  • BZ - 1420284 - [CFME] db:migrate warning 'supports_feature_mixin.rb:103: warning: key :terminate is duplicated and overwritten on line 111'
  • BZ - 1420442 - Unable to provision VMs to a VLAN with a '/' in the name
  • BZ - 1420467 - Containers Topology - second search not working
  • BZ - 1421154 - check_provisioned Check orchestration deployed doesn't properly handle rollback_complete
  • BZ - 1421158 - control policy events aren't generated for azure instances
  • BZ - 1421161 - network manager timelines 404 found
  • BZ - 1422647 - Customer concered about memory and elapsed time to generate custom report in global reporting region
  • BZ - 1422648 - Impossible to access Cockpit administration tool from Self-Service UI
  • BZ - 1422649 - Appliance fails to terminate (ie, kill) worker processes that fail to respond to requested termination.
  • BZ - 1422650 - Services with nil service_template will fail while looking up atomic? or composite?
  • BZ - 1422651 - UI: Service catalog ordering - spinner disappearing too soon, not in sync with page load
  • BZ - 1422652 - Inconsistent alt-text for advanced search buttons
  • BZ - 1422653 - Update set_security_group method to accept an array of MIQ objects
  • BZ - 1422654 - Node lifecycle: ability to set node manageable from provisioning state enroll
  • BZ - 1422975 - Missing links to nested Resource Pools in Resource Pool summary screen
  • BZ - 1423032 - Stack template page needs to change the font color
  • BZ - 1423470 - Running any rake task gives a warning message before runnning
  • BZ - 1424255 - SPICE connections to RHV fill up log with error message
  • BZ - 1425492 - Chargeback for Container Images - Default Container Image Rate is editable
  • BZ - 1425494 - cannot remove user belonging to group EvmGroup-super_administrator via tree
  • BZ - 1425873 - MiqUiWorker fails to start
  • BZ - 1426433 - Cannot generate VM base report
  • BZ - 1426628 - [Regression]C&U graphs don't get grouped by tags
  • BZ - 1426638 - Security groups reflected twice on Cloud tenant page
  • BZ - 1426683 - Unable to compute performance rollups for OpenShift
  • BZ - 1427168 - unable to bring VM out of retirement from details page
  • BZ - 1427169 - Provide CFME/RHV build in qcow format, further to image uploader tool drop for RHV-4.1
  • BZ - 1427172 - trying to log in with user admin after timeout on different user will get the UI stuck on login + error on wrong credentials will show in log
  • BZ - 1427298 - vCenter DVS network selection after upgrade to CloudForms 4.2 fails
  • BZ - 1427299 - Missing form buttons on Catalog Items - Add new Button Group and Buttons
  • BZ - 1427321 - "My Company Tags" not loading after login for creating new group
  • BZ - 1427520 - User access filtering using tags for clouds networks and floating ip| isnt' working as expected.
  • BZ - 1427522 - Cancel edit cloud subnet throw undefined method `empty?' for nil:NilClass
  • BZ - 1428079 - Can not display instances on one tenant within OSP in CloudForms
  • BZ - 1428122 - Creating or copying a report drops browser session and returns to sign in screen
  • BZ - 1428124 - RuntimeError Multiple parents found / in generate_one_content_for_group
  • BZ - 1428130 - [RFE] OpenShift Projects report Pods: Deleted On attribute empty
  • BZ - 1428131 - limit list of user's roles to for creating a group
  • BZ - 1428508 - When invoking a start or stop action on a instance via API, it does not reflected in CloudForms 4 UI however it performed desired action on cloud side.
  • BZ - 1428509 - Missing "Reset" option for SCVMM VM from Details
  • BZ - 1428512 - all volumes in systems are shown under a pod summary
  • BZ - 1428579 - Cannot approve an automation request in a 'Pending Approval' state
  • BZ - 1428895 - When filtering datastores the title is "the datastore datastores" which makes no sense
  • BZ - 1428897 - Custom Attributes in WebUI Change Order as Created / Updated - Not sorted
  • BZ - 1428899 - Copy Chargeback report will not add unless a parameter is changed first
  • BZ - 1428900 - [RFE] Container Chargeback - get rate assignment from enterprise
  • BZ - 1428903 - disable local login does not work when cfme external auth is configured for IPA
  • BZ - 1428904 - Middleware Topology - broken icon for Servers
  • BZ - 1429648 - An exception in a worker's sync_workers can cause the server process to exit with fatal error
  • BZ - 1429650 - External authentication works when logging into the Admin UI but doesn't work for the same user to get into the Service UI
  • BZ - 1429652 - The email validation is no longer accepting upper case characters in the users email address.
  • BZ - 1429999 - CHRONYD getting stopped/failed in CFME-4.2 Appliances after 5-10 minutes
  • BZ - 1430088 - Network I/O Metrics empty in RHEV
  • BZ - 1430089 - Service view VM buttons all click through to first VM
  • BZ - 1430439 - Ordering of Saved Chargeback reports needs to be reversed
  • BZ - 1430542 - [RFE] Service Dialog drop-down field should support multi-select option
  • BZ - 1430835 - CSRF tokens are erroneously being checked for external authentication
  • BZ - 1430838 - Services > Catalog Items - services in the tree don't match right side
  • BZ - 1430937 - Service Dialog does not save default value <None> for drop down or radio button
  • BZ - 1431154 - No flash message after addition of a new policy is cancelled
  • BZ - 1431162 - Service Dialog - Element visibility on condition is not working in Self-Service portal
  • BZ - 1431163 - [SDN] - Security groups/Floating IPs not displayed in Network Topology View
  • BZ - 1431164 - The cleanup process is never started because of bugs in the code
  • BZ - 1431165 - "FATAL -- : ActionController::RoutingError (No route matches [POST] "/vm_infra/console/198")" found in production.log file while accessing vm console with MKS plugin
  • BZ - 1431166 - Wrong selection of parent for VM in a tree
  • BZ - 1431168 - Dashbord and Report information not filtered by Tenancy
  • BZ - 1431620 - [Scale][RHV] Inventory refresh fail on timeout, after ~2 minutes.
  • BZ - 1431641 - Issue when Azure VM doesn't include offer in.
  • BZ - 1431727 - UI: Add new Subnet must be disabled when there is no cloud provider present.
  • BZ - 1431808 - RHEV VM Reconfigure: Hot unplug CPU and Hot add memory request succeed, though it should fail on not-supported
  • BZ - 1431842 - Service requests show none with "refresh" buttons instead of selected values
  • BZ - 1432093 - Removing all folders from an accordion in Report Menu makes the Reports page display error
  • BZ - 1432098 - Chargeback by Image cannot assign Rate for Label with special characters
  • BZ - 1432174 - CVE-2017-2653 CloudForms: UI security issue on Openstack actions
  • BZ - 1432463 - Web UI inaccessible after changing number of UI Workers
  • BZ - 1432467 - [Azure] ManageIQ string in downloaded PDF
  • BZ - 1432639 - RBAC Search Errors out on Strings
  • BZ - 1432957 - AWS flavor list is out of date.
  • BZ - 1432960 - Missing AWS Regions
  • BZ - 1432961 - Unable to hot add new thin provisioned disk to VM
  • BZ - 1432962 - Host Storage Device retrieves more information than necessary
  • BZ - 1433069 - [Multi-tenancy, LDAP] - Images not visible to tenant / Instances not visible to tenant after provisioning
  • BZ - 1433089 - Error after expanding Button Group in Catalog Items
  • BZ - 1433093 - Mixed up values in Low and High operating ranges for C&U graphs
  • BZ - 1433094 - Refresh of OSP10 OpenStack/Director undercloud failing
  • BZ - 1433366 - Editing an already created schedule for "Container Image compliance" doesn't populate all the existing schedule settings
  • BZ - 1433435 - Policy to exclude a VM from analysis shows as false but scanning is still happening
  • BZ - 1433486 - Corrected loading record id by selected node
  • BZ - 1433500 - Duplicate ContainerImage records with same digest
  • BZ - 1433962 - Control Explorer is displayed despite role has restricted access to it
  • BZ - 1433974 - Persistent Volumes list grow exponentially upon refresh.
  • BZ - 1433976 - List items on Policy profiles page are not clickable
  • BZ - 1433979 - Reports fail when selecting a Custom Attribute containing one or more dots
  • BZ - 1433980 - VM extend retirement fails
  • BZ - 1433981 - Charge back reports are not showing the data
  • BZ - 1434012 - Clipped Chart Controls on Dashboard
  • BZ - 1434096 - All Endpoints' [Validate] buttons disabled/enabled according to main endpoint fields
  • BZ - 1434150 - [Scale] MiqWidget.generate_content at large scale consumes tremendous amount of memory and times - out
  • BZ - 1434151 - Services: My Services tree does not show services that are marked as display false.
  • BZ - 1434157 - Automate Simulation: The simulation form behaves weird after certain steps
  • BZ - 1434158 - Stack trace when running fix_auth
  • BZ - 1434160 - Impossible to distinguish Labels and entity attributes in OpenShift Chargeback Reports
  • BZ - 1434172 - Azure Cloud provider fail to refresh
  • BZ - 1434411 - Undefined Method Error virtual_custom_attribute_name for Chargeback Report OpenShift
  • BZ - 1434428 - No payload sent to rhevm4.0 from cfme-5.7.0
  • BZ - 1434549 - [RFE] Routers do not allow you to set/clear external network gateway
  • BZ - 1435278 - Metrics collections consistently fail when where last collection date/time is weeks to months prior
  • BZ - 1436223 - Unable to order service
  • BZ - 1436340 - [RFE] Replace Ceilometer event with Panko
  • BZ - 1436854 - miq worker in aborted status
  • BZ - 1437560 - [RHOS] - changing ownership of image returns error
  • BZ - 1438450 - Unable to open Details(Summary) of archived Instance
  • BZ - 1438888 - [RFE]: Containers should be added to Service Model
  • BZ - 1439308 - Excessive log lines for "Initializing DRb Connection to MiqServer with ID"
  • BZ - 1440405 - subselection in access control role, not bubble up in tree display
  • BZ - 1440408 - excon gem defaults generate error connecting to OSP

CVEs

References

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started