You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa CloudForms

Sigurnosni nedostaci programskog paketa CloudForms

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

Hash: SHA1

Red Hat Security Advisory

Synopsis: Important: CloudForms 4.6.2 bug fix and enhancement update
Advisory ID: RHSA-2018:1328-01
Product: Red Hat CloudForms
Advisory URL:
Issue date: 2018-05-07
Cross references: RHBA-2018:0556
CVE Names: CVE-2018-1101 CVE-2018-1104 CVE-2018-7750

1. Summary:

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.9 – noarch, x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* python-paramiko: Authentication bypass in (CVE-2018-7750)

* ansible-tower: Privilege escalation flaw allows for organization admins
to obtain system privileges (CVE-2018-1101)

Red Hat would like to thank Graham Mainwaring of Red Hat for reporting

* ansible-tower: Remote code execution by users with access to define
variables in job templates (CVE-2018-1104)

Red Hat would like to thank Simon Vikström for reporting CVE-2018-1104.

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Additional Changes:

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes
document linked to in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

5. Bugs fixed (

1495849 – [ALL_LANG] VM or Template comparison screen has untranslated entries.
1510499 – With RHV Graph refresh template numbers in Provider inventory does not get updated correctly.
1526086 – [ALL_LANG] Compute – Containers – Container Builds page has missing translations
1526088 – [ALL_LANG] Compute – Containers – Pods page has missing translations
1530680 – xClarity: EvmRole-operator unable to view physical server summary page
1530760 – [ALL_LANG] Control – Explorer – Policy Profiles – All Policy Profiles : ‘Policy’ is not localized
1533220 – [ALL_LANG] Control – Explorer – Actions – All Actions – Configure – Add a new Action : ‘Action Type’ drop-down menu has untranslated entries
1533233 – On Tag Assignment page Category has other Tags than preconfigured for it
1533515 – [ALL_LANG] User Icon – Configuration – Access Control – Roles : Add new Role has untranslated entries
1538094 – [ALL_LANG] User Icon – Tasks : untranslated entry
1538100 – [ALL_LANG] User Icon – Configuration – Settings – CFME Region: Region xx[xx] has untranslated entry
1549625 – webui updates failing when a proxy is required
1549722 – WebUI: Tool tip displays html code while setting the ownership for multiple vm’s
1550728 – Replication configuration page does not open when child database is down
1550730 – [Ansible Embedded] – Embedded Ansible cannot be enabled on IPv6 only appliance
1550736 – unable to view quotas without manage quota permissoin being enabled in 5.8.2
1551692 – internal server error ActiveRecord::AssociationTypeMismatch when editing current_group
1551696 – Colons are unhandled in BaseModel key generation in AzureArmrest
1551698 – Not possible to configure GCE provider for new regions (southamerica-east1) on CFME
1551703 – RHOS: Unable to delete cloud tenant
1552266 – Duplicated choice exist in new alerts view
1552269 – Network router type string contains ManageIQ path
1552278 – Authentication issue for checking status of Task API via EvmRole_administrator privileged User
1552282 – [RFE] Make Automation State Machine Log Lines Uniform
1552288 – [RFE] Metrics for memory usage of AWS instances is missing from C&U
1552290 – AWS Smartstate Does Not Fail Gracefully if AMI To run Analysis Agent is Unavailable
1552301 – Azure Template to service Dialog conversion issue
1552303 – [Azure]Provision Multiple VMs with Public IP selection options
1552305 – GCE Region is useless in GCE Provider
1552323 – xClarity: server-host relationship to hosts managed by RHEV-M provider not created.
1552334 – Nuage provider name is always displayed as ” Network Manager” on GUI
1552335 – EventCatcher is not restarted when Nuage provider is updated
1552671 – [RFE][XS-2] Add possibility to unregister a VM in RHV provider
1552673 – Cloudforms doesn’t show IP of vms on vCloud provider
1552677 – VM does not have deletion event on its own timeline on vsphere55
1552704 – Default Docker Labels for Labeled Images in Chargeback Assignments
1552707 – Wrong error displayed when trying to add a group without a name
1552723 – Can’t Manage Report Menu Accordions and Folders
1552735 – Filters not working properly in config mgmt configured systems
1552737 – UI: Broken bootstrapswitch design in custom button option of generic object
1552739 – [RFE] Expose Infra provider networks (RHOS) in host/node details
1552740 – [ALL_LANG] User Icon – Configuration – Settings – Schedules : Add a new Schedule page has untranslated entries
1552741 – Can’t remove multiple instances or methods in UI.
1552743 – ui: Tabs switched When changing the System/Process type on add new button page
1552746 – typo in provider summary page: metrics type Hakular –> Hawkular
1552748 – [Embedded Ansible] Notification typo
1552753 – CFME Log lines in Diagnostics are divided into multiple lines
1552762 – Error when applying a filter in My Services from Adv search
1552763 – Remove Chargeback Rates field for Metering reports
1552776 – Auth MIQLDAP AD – miqldap_to_sssd conversion fails for ldap.
1552782 – Smartstate on Azure Managed Linux Instance returns Unable to mount filesystem. Reason:[XFS::DirectoryDataHeader: Invalid Magic Number 0]
1552783 – Unable to add playbook repos after webui update
1552785 – Auth MIQLDAP AD – Users can’t log in to console after miqldap_to_sssd conversion
1552790 – Validating credentials for replication throws error if pglogical schema not created
1552791 – miqldap_to_sssd help message is incorrect
1552792 – Auth External Auth SAML – Users with custom groups with special chars can’t log in.
1552794 – A control alert for real time performance of a VM and Instance is not firing
1552796 – [RFE] Chargeback reports for OpenStack tenants
1552798 – [Providers] – Instances not linked after provider removal/addition
1552800 – Retirement requester is not passed down correctly to automate
1552801 – RBAC doesn’t work for notifications
1552802 – No notification for failed registration
1552804 – configure_server_settings.rb changes numeric values to strings, causing failures when other code is expecting integers
1552809 – [RFE] Support RestAPI Primary Collection for Containers (object)
1552817 – SUI doesn’t display costs for SCVMM services
1552824 – Can Add Duplicate Custom Attributes on OpenShift Provider Via the API
1552826 – internal server error when cloud_networks, cloud_subnets or security_groups subcolls requested on RHEVM
1552828 – internal server error when accessing attributes of the “picture” resource
1552838 – Targeted folder refresh doesn’t work on VMware
1552842 – Customize vApp template prior provisioning (VMware vCloud Provider)
1552873 – RBAC Users can be removed from all associated groups after the webui shows the error “A User must be assigned to a Group”
1552879 – Tagging broken in Datastores and My Services page
1552880 – [RFE] There is no any indication in replication subscription screen for not accessible remote node
1552882 – The quad-icon tile for an OpenShift provider shows an exclamation mark, but a mouseover shows “Refresh Status: Success”
1552884 – Cursor on password field instead of username when we enter incorrect login details
1552886 – Unwanted comma in disk type string for Azure instances
1552889 – containers: identical volume name for different volumes in different pods is not useful for users (at least not admin)
1552890 – Tagging: Edit tags page doesn’t open for network list items navigated through parent details page
1552895 – Error updating Nuage provider
1552900 – Title does not update when searching text in Datastores and other pages
1552903 – Automate tree in the left pane has duplicates following any copy operation (instance, class, namespace)
1552904 – The accordion folds after adding a schedule
1552908 – Add button is not responsive on Role add page
1553191 – Timelines: Throws an error while trying to access Cloud Intel/Timelines
1553197 – Configuration -> Red Hat Updates tab does not list all required repositories
1553214 – JavaScript-UI: Wrong behavior of `display on button` checkbox while editing custom group form
1553224 – Set Ownership can not be changed back to default
1553241 – Container add provider empty flash message when not catch UI exception
1553242 – Tag: All Catalog Items are listed in resource dropdown while creating Catalog Bundle using restricted user
1553243 – Save button isn’t activated when date is removed in VM “Set/Remove retirement date”
1553244 – [QEDevCollab] Components in ‘Add button group’ form causing test automation failures
1553251 – Chargeback Rates page title incorrect after deleting rate
1553288 – Flash message icon is not correct Bottlenecks page
1553295 – Unable to perform SSA if Vm storage is fileshare on SCVMM and throws error in evm.log
1553304 – Evacuate Host failed
1553307 – Undefined method `vmm_version’ for nil:NilClass on VM summary screen
1553309 – [RFE] Generic objects not displayed
1553311 – Wrong ‘Fixed IPs’ font size while adding a router with external gateway
1553315 – C & U Collection settings in configuration page improper styling
1553316 – On schedules pages is shown pagination from analysis profiles
1553317 – Broken footer in alerts
1553319 – [RFE][S-3] UI displays disabled domains for a instance’s domain priority
1553322 – audit.log should not contain translated messages
1553323 – Adding Interface to Router with user in Tenant show all Subnets and not only the Tenant’s Subnet
1553326 – Switch icon is missed on tag assignment page
1553327 – Stack Outputs icon is not displayed
1553329 – Using webmks console one cannot type correctly the password when it contains special characters
1553336 – Default view settings fails for service catalogs
1553340 – [CONDITION] When we leave description blank, there are two identical flash messages.
1553345 – Openstack infra provider dashboard should not appear for an openstack infra provider
1553362 – Add miqssh utilities
1553384 – [RHV] VM Reconfigure: Down VM Memory increase fail on cannot exceed maximum memory
1553389 – VMware vCloud Provider’s VM is only partially stopped/suspended
1553392 – EvmRole-auditor can perform actions on VM
1553393 – [RFE] Add RBAC and Tagging Support to Ansible Credentials.
1553396 – [RFE] Add RBAC and Tagging Support to Ansible Repos
1553397 – Error while checking that migrations are up to date
1553399 – Normalize text for operational alerts
1553480 – SUI : Clicking any link on dashboard does not change the navigation in left side
1553482 – Kebab menu appearing differently on service page and resource detail pages
1553483 – Kebab menu changes structure after 30 seconds in SSUI resource detail page
1553768 – [RFE] Add RBAC and Tagging Support to Ansible Playbooks
1553776 – Role inconsistency with privileges when creating reports and setting chargeback filters
1553779 – Restricted user can see all group and users
1553780 – notifications do not get cleared from the notification table
1553789 – Unable to add tag for configuration provider from ‘All Rad Hat Satellites Providers’
1553791 – xClarity: Physical server summary page download as PDF button not supported
1553836 – Visibility expression does not evaluated correctly on custom buttons for Generic Object
1553873 – Missing Datastore Images
1553903 – [Regression] Backup/restore failing on appliances using pglogical
1554358 – Graph refresh should not be used for rhv36 providers
1554370 – Wrong breadcrumb link on order screen
1554454 – Adding a physical provider shows as infrastructure provider (text change)
1554532 – Schedule report fails to send mail when report is not empty
1554541 – Long time to refresh network provider on OpenStack
1554823 – Infinite spinner on Edit Playbook Reset button
1554825 – NTP server details doesn’t show in UI after adding a new zone
1554832 – Automatic placement causes cloud tenant to not be selectable
1554839 – Policy simulation results are not displayed
1554889 – OpenStack Cinder Storage provider detail does not have link to Volume Backups
1554898 – when deleting an archived node using configure > remove a unknown method error is raised
1554901 – Missing Guest OS in dashboard reports in Openstack
1557130 – CVE-2018-7750 python-paramiko: Authentication bypass in
1557353 – Adding a network router via CloudForms the router is not seen by CloudForms
1557361 – [RFE][XS-2]Cloudforms does not show node hostname, only GUID for OpenStack Infrastructure Provider
1557367 – Request not required when adding Schedule
1557378 – [UI] There is no indication of cloud network delete operation
1557380 – Tagging: Edit tags page doesn’t open for images opened from provider summary page
1557388 – Inconsistent capitalization of ‘CPU’ when creating chargeback rate
1557391 – Physical Infrastructure provider quadicons doesn’t support single view
1557400 – Physical server quadicon switch under My Settings doesn’t respect RBAC rules
1558030 – internal server error when accessing the “policy_events” attribute of the “vms” resource
1558038 – AWS flavor list is out of date
1558040 – Not able to scan instances in AWS
1558046 – OpenStack – Include Provider Error Message in MiqProvisionFailure
1558048 – Provision fails if no Subnet assigned not Cloud Network
1558078 – [RFE][M-5] Targeted Refresh for Azure Provider
1558092 – Dropdown to delete a “not responding” server is missing
1558142 – Network provider quadicons doesn’t support single view
1558144 – UI inconsistency – Size Unit title missing when adding a new disk
1558544 – Creating buttons under the Datastore objects do not appear on Datastore Details Pages
1558594 – No event AWS_EC2_Instance_UPDATE when renaming a VM on EC2
1558610 – Images from the webmks css causes CSP errors in browser console
1558621 – RedHat domain can be edited/deleted
1558626 – PG::InvalidTableDefinition: ERROR: cannot alter inherited column “resource_type
1559475 – CUI returning empty array when dialog without associations is saved
1559479 – [RFE] Add RHV Credential to Ansible Automation Inside
1559483 – CUI doesn’t check dialog field associations
1559543 – [RFE] Metering Reports should provide Hours of Existence & Start and end time of VMs, Projects and Images
1559544 – [RFE] Collect Container Project Quota Historical data in Project Roll-up
1559550 – Regression Instance Method check_quota Throws Error 5.8.2 to 5.8.3 undefined method provisioned_storage
1559552 – Api::ServiceCatalogsController timeout error in multi-regional environment
1559609 – Amazon agent deployment has to choose the VPC which has attached gateway configuration
1559624 – Graph refresh does not fetch custom attributes
1560004 – [RFE] SCVMM provider refresh error message issue if provider user doesn’t have access to VMM service
1560096 – Error occurs when trying to edit a catalog item
1560098 – Outgoing SMTP E-mail Server settings not saved on first attempt
1560100 – Total matches of Ems Cluster roles showing wrong count
1560104 – Automate Schedule: “Starting time” field saves nonsense.
1560692 – Stop CF pestering OpenStack for Swift status when there is no Swift.
1560699 – Consolidated RefreshWorkers may cause job starvation
1560703 – Refresh is broken for ec2 when get_public_images is set to true
1560708 – My Company(All EVM Groups) filter missing from reports schedule
1561076 – Duplicate RBAC Role and Group names allowed when using different capitalization from the original name
1561079 – [Regression]Error with report policy event for the last 7 days
1561085 – [RFE] Azure Network router not displayed on CFMe
1561091 – List view displayed instead of grid on Manage Policies screen
1561096 – Default selected tag name / value mismatch when assigning tags
1561107 – ERROR — : AnsibleTowerClient::Middleware::RaiseTowerError Response Body: {“detail”=>[“‘username’ is not a valid field for Vault”]}
1561216 – Failure to refresh on OpenStack provider when Fog::Storage::OpenStack::File object has nil body attribute
1561218 – [RHV] PXE provision with Network “use template nics” fail on creating VM
1561222 – ping feature inconsistent with webui ping when database connectivity is lost
1562075 – Duplicate values are shown in dialog dropdown.
1562235 – Nics are Provisioned out of Order for VMware Service Provision
1562772 – tenant source_id compromisation after changing provider credentials
1562777 – Approval permissions are not followed between different groups
1562779 – Cannot create service template using the API
1562780 – [SCVMM]Extract Running Processes completed Task List does not inform about Warnings.
1562782 – A state machine’s on_exit method runs before the main method if the main method is an embedded Ansible playbook
1562785 – Refresh failed after performing vm_reconfiguration_task
1562788 – [Regression] RHV provider discovery doesn’t work
1562791 – Database Replication broken for current and new regions
1562797 – CFME – usage of non standard special characters (e.g. accents) in password causes user is not able to login
1562800 – Schedule Operation: Cannot create schedule, “Add” button is not active
1562803 – [RFE] CFME, add Ansible GIT repository custom SSH port option
1562811 – No Advanced Search in Volume Snapshots/Backups
1563268 – CloudForms appliance is ignoring azure proxy settings in advanced tab.
1563351 – Nuage provider is unable to refresh inventory when subnets are missing gateway address
1563358 – Nuage Networks provider does not handle empty AMQP details
1563359 – Nuage Provider doesn’t capture Alarms
1563361 – Nuage provider’s event catcher yields “Too many open files” after 9 hours
1563363 – VMware vCloud Provider’s inventoring fails because of bug in Disk parsing
1563364 – Support console access for VMware vCloud Provider’s VMs
1563492 – CVE-2018-1101 ansible-tower: Privilege escalation flaw allows for organization admins to obtain system privileges
1563731 – in the conditions screen you see “Container Node” on the left but “Node” on the right
1563740 – ReconfigVM Event triggers a refresh_sync Holding Automate Process in State Machine
1565139 – Some expression method definitions can fail with “<Script error>” in a dialog and a stack trace in evm.log
1565140 – Embedded Ansible job_status .out files are not processed by logrotate
1565142 – Nuage Provider uses qpid_proton gem version without heartbeating
1565147 – Unable to create Cloud Network due to undefined method
1565148 – Service gets submitted even if dialog does not passes validation
1565151 – Regression Custom Button Dialog Not Displaying Submit or Cancel Button
1565156 – Unable to see realtime data from OpenShift in CloudForms UI
1565160 – Ansible playbook credentials always show default value in SUI
1565167 – openstack provisioning instance fail on checkprovisioned
1565232 – OpenStack with bad credentials shows timeout
1565677 – Container reports take too much time to generate
1565686 – VMware vCloud Provider credential validation fails
1565756 – Remove specific EVM server from zone
1565862 – CVE-2018-1104 ansible-tower: Remote code execution by users with access to define variables in job templates
1566255 – DRb ‘close’ error for closed connection
1566526 – Reporting worker exceeding threshold for default report tied to custom widget
1566529 – Smartstate Analysis Schedule Fails for OpenShift 3.7 Container Images
1566530 – Report for Storage Capacity Field Generating Error Cannot Convert Hash to Float
1566541 – [RFE] Target Refresh support for OpenStack Block Storage Manager
1566557 – [Regression] Infra provider discovery doesn’t work
1566562 – RHSM failing to register with proxy settings
1566563 – Cloudforms present blank page for backup volumes
1566568 – Appliances Missing from Global Region are showing a Zone ID of a Local Region
1566572 – ERROR ASCII-8BIT to UTF-8″,”klass”:”Encoding::UndefinedConversionError”}}
1566577 – [AZURE]Filter list of available Public IPs
1566658 – [PRD][RFE] Ansible Next Gen – Playbook Seeding
1567278 – xClarity: Error while execute the second refresh cycle
1567962 – VMware vCloud Provider’s VMs cannot revert from snapshot
1568023 – [Embedded Ansible] Standard Output throws error if Hostname has Non-ASCII Characters
1568091 – Catalog Item with Tag Control element cannot be ordered
1568156 – Not able to import certain dialogs because of tag Id
1568158 – User Interface does not come up after reboot
1568162 – DRO Service mapping to DRO instance incorrect
1568467 – Cannot put special characters in proxy password in Advanced Config
1568473 – Saving a service dialog with a multi-select drop-down populated by expression method gives a 500 internal server error
1568550 – CFME: OpenSCAP evaluation report target machine does not show container image name
1568559 – Deployment template validation failed
1568602 – Git repo automate datastore refresh timing out upon credential change
1569099 – Orphaned and Archived VMs displayed in running vms filter
1569103 – Online VMs (Powered On) report lists Orphaned and Archived VMs/Instances
1569113 – Apache Reloaded twice with logrotate
1569177 – ERROR : 404 when trying to set the retirement date of the service
1569236 – [UI] – ManageIQ string in PDF summary file for flavors
1569472 – In dynamic dropdown list, the default value contains ALL the values of the list
1569551 – Auto-refresh values take forever to load values in dropdown
1570118 – CloudForms 4.6 – filtering based on tags does not work for catalog items
1570821 – Unable to run ansible playbook method via Simulate
1570950 – Service and VM retirement are non-deterministic, running parallel
1570989 – Service Catalog Item Subtype not rendered in UI
1571310 – Unable to select storage manager from drop down list through classic UI
1571976 – Dynamic check box does not update in Classic UI
1571989 – droplist with large amount of items do not display a search field
1572711 – Automate Methods from Dynamic Dialog are being Run More than Designed / Expected
1572716 – Delay in rendering service dialog
1572718 – Provider Inventory worker vim.log fills up due to large log messages
1573215 – OpenStack Block Storage Manager Cinder does not refreshed
1573246 – Workload category for Tag Control element does not work
1573254 – auto_refresh being used instead of dialog field responders on later versions
1573539 – Dashboard widget is not providing exact content due to Type conversion Exception.
1573990 – in certain situations the refresh methods are called on every single refresh

6. Package List:

CloudForms Management Engine 5.9:




These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:

8. Contact:

The Red Hat security contact is <>. More contact
details at

Copyright 2018 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list

AutorDanijel Kozinovic
Cert idNCERT-REF-2018-05-0001-ADV
More in Preporuke
Sigurnosni nedostaci programskog paketa patch

Otkriveni su sigurnosni nedostaci u programskom paketu patch za operacijski sustav SUSE. Otkriveni nedostaci potencijalnim napadačima omogućuju izvršavanje proizvoljnog programskog...