You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa CloudForms

Sigurnosni nedostatak programskog paketa CloudForms

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

Hash: SHA256

Red Hat Security Advisory

Synopsis: Moderate: CloudForms 4.6.5 security, bug fix and enhancement update
Advisory ID: RHSA-2018:3466-01
Product: Red Hat CloudForms
Advisory URL:
Issue date: 2018-11-05
Cross references: RHSA-2018:2561
CVE Names: CVE-2018-1000544

1. Summary:

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.9 – x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* rubyzip: arbitrary file write vulnerability / arbitrary code execution
using a specially crafted zip file (CVE-2018-1000544)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

5. Bugs fixed (

1592571 – Service Dialog Editor localization in French Incomplete
1593001 – CVE-2018-1000544 rubyzip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file
1599349 – API with an invalid zone name kill the appliance
1603026 – Vim Performance States Table Causing Region to Lock up During a Vacuum
1607409 – The remote_ws_url value does not failover if the appliance is stopped, so “api_url” can be incorrect in an Ansible playbook
1607438 – Alerts do not trigger and do not send email notification
1608368 – Ansible Jobs Causing State Machine to Fail due to Inactivity Threshold Exceeding 0
1608770 – custom buttom page empty
1612905 – internal server error when cloud_tenants or flavors subcollection is requested on infra provider
1613333 – Couldn’t find EmsFolder with ‘id’
1613420 – OpenStack deletion gives problem
1615465 – Using database wildcard `%25` in VM queries causes exception, returns 500 to client
1618800 – Open URL Does Not Work When Using a DIalog with a Button
1618805 – CloudForms tries to collect metrics from OCP despite not being configured for it
1618807 – [RFE] Restore VM ownership and retirement during migration
1618808 – Migrations linking jobs and miq_tasks could take long time when upgrading to 5.9
1619431 – [v2v] Network Missing in Infra Mapping
1619654 – [v2v] Schedule Unschedule Migration does not seem to work correctly
1621441 – Change VMware URI to connect directly to ESXi
1621445 – Default Dashboard can’t be updated
1621449 – Fix displaying disk type of a VM created from template and passing clone parameter to RHV
1622631 – reports using “group by” on date show a total column per vm instead of showing a total at the end of the report
1622652 – Service Retirement runs twice for direct service children
1623557 – virt-v2v Fails with IMS when Using AD Credentials for VMware Provider
1623559 – [RFE] Add state_machine_phase attribute to transformation state machines
1623560 – Dynamic Text Area and Text Box Elements Load Even Though Load on Init is not Marked
1623561 – displaying -Child Orchestration Stacks- throwing UI error
1623563 – unable to generate chargeback based on metering for vms with traceback in logs
1623565 – Add log messages to Chargeback
1623573 – unable to add disk to vm via rest-api vm reconfiguration on vmware [request backport from existing commit]
1623582 – Change in chargeback report logging output
1625249 – Read Action Forbidden When User Tries to Attach Cloud Volume OpenStack
1625323 – UI breaks when viewing instance details.
1625376 – Wrong timezone when selecting retirement time
1626143 – Storage Domain ignored on provisioning
1626219 – nuage refresh fails – undefined method `[]’ … security_groups
1626474 – Handle service retirement date in service dialog
1628348 – Update to Azure Government endpoint
1628657 – Unable to retry Embedded Ansible method in a state machine
1629089 – [RFE] Add more RAM options size to life cycle dialog
1629090 – [SSUI] Able to create snapshot with memory on powered down VM
1629094 – Make the checkbox column in the column view not click-able
1629121 – When a button is for ‘single and list’ or ‘list’ and has a visibility expression, the button does not display in the list view even when all VMs in the list meet the expression
1629124 – giving volume name shouldn’t be mandatory in case of Openstack instance provisioning
1629125 – OSP domain user seen objects from other domain tenants
1629126 – [RFE] Add support to oVirt provider to set VM memory and CPU
1629127 – UI Monitor Alerts page is slow to load and when clicking on link it shows blank page with no alerts
1629129 – Cannot add Ansible Tower or refresh already added Ansible Tower
1629897 – Memory threshold set from Workers tab doesn’t work
1630938 – Refactor restoring VM attributes during migration
1631557 – Unable to provision VM with “choose automatic option”
1631817 – Not able to access Openstack instance console from selfservice portal
1632769 – Triggered Refresh Still Occurs for Dialog After Changing Type to Static
1634032 – To be able to add and create reports, the edit report role is needed.
1634808 – Password hashes in Automate Log
1635038 – VMware vCloud Provider’s vApp Provisioning Dialog Cannot be Submitted
1635764 – Power management via API falling into the wrong zone leading to permanently queued requests
1637035 – Add transformation utils methods
1637185 – [RHV] ISO provisioning fails with undefined SDK method
1637720 – Unable to see chargeback rate under rates accordion
1638684 – VMware vCloud Provider’s vApp Service Cannot be Fully Retired
1639300 – Unable to perform chargeback assignments for compute
1639413 – When ordering a service via the API the service dialog is not executed
1639877 – Can’t change Server’s Zone
1641670 – [regression][Custom Button] Unexpected error encountered in infrastructure and datastore object type when method and dialog both attached
1641810 – undefined method `find_tagged_with’ for #<Class:0x000000000b5e3228> [miq_request/show_list]

6. Package List:

CloudForms Management Engine 5.9:



These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:

8. Contact:

The Red Hat security contact is <>. More contact
details at

Copyright 2018 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list

AutorToni Vugdelija
Cert idNCERT-REF-2018-11-0001-ADV
More in Preporuke
Sigurnosni nedostaci programskog paketa Virtualization

Otkriveni su sigurnosni nedostaci u programskom paketu Virtualization za operacijski sustav RHEL. Otkriveni nedostaci potencijalnim udaljenim napadačima omogućuju izazivanje DoS...