You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa CloudForms

Sigurnosni nedostaci programskog paketa CloudForms

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

Hash: SHA256

Red Hat Security Advisory

Synopsis: Important: CloudForms 4.6.6 security, bug fix and enhancement update
Advisory ID: RHSA-2018:3816-01
Product: Red Hat CloudForms
Advisory URL:
Issue date: 2018-12-13
Cross references: RHSA-2018:3466
CVE Names: CVE-2018-1053 CVE-2018-1058 CVE-2018-10915

1. Summary:

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.9 – x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* postgresql: Certain host connection parameters defeat client-side
security defenses (CVE-2018-10915)

* postgresql: Missing authorization and memory disclosure in INSERT … ON
CONFLICT DO UPDATE statements (CVE-2018-10925)

* postgresql: pg_upgrade creates file of sensitive metadata under
prevailing umask (CVE-2018-1053)

* postgresql: Uncontrolled search path element in pg_dump and other client
applications (CVE-2018-1058)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank the PostgreSQL project for reporting
CVE-2018-10915, CVE-2018-10925 and CVE-2018-1053. Upstream acknowledges
Andrew Krasichkov as the original reporter of CVE-2018-10915; and Tom Lane
as the original reporter of CVE-2018-1053.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

If the postgresql service is running, it will be automatically restarted
after installing this update. After installing the updated packages, the
httpd daemon will be restarted automatically.

5. Bugs fixed (

1539619 – CVE-2018-1053 postgresql: pg_upgrade creates file of sensitive metadata under prevailing umask
1547044 – CVE-2018-1058 postgresql: Uncontrolled search path element in pg_dump and other client applications
1609891 – CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses
1610547 – [v2v] [RFE] Migrating VM with multiple DPG’s fail to get assigned with correct NICs on RHV
1612619 – CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT … ON CONFLICT DO UPDATE statements
1618836 – Changing action order in catalog bundle removes resource
1623562 – [RFE] Don’t show allocated IPs in dropdown while assigning floating IPs via CloudForms
1634809 – Button enablement and visibility by tag not working for buttons on Ansible services
1635034 – In the self service portal, reconfigure service shows “No Provisioning Dialog Available”
1635255 – Reports do not run when submitted through a UI which does not have reporting role on.
1635759 – Buttons not sorted in button group on Ansible Service
1635788 – Reverting snapshot fails for OpenStack instances
1638501 – Cannot login with an uppercase letter in username
1639351 – WebSocket push notifications no longer work in SUI
1639353 – [URI::InvalidComponentError]: bad component(expected host component): Method:[block in method_missing]
1639364 – Cannot change appliance name
1640194 – Service Dialogs are slow
1640258 – Update miqssh utilities.
1640629 – Variables field in provisioning a new service catalog item (Ansible playbook) changes when typing information into it
1640631 – User ID for Service Retirement Task Changes During Retires When First Retirement Fails
1641771 – Copying a custom report from a custom report menu changes source report name
1643042 – [RFE][Providers][RHOS] – Some flavors not visible in Instance Type dropdown when creating instance
1643261 – Unable to retire service via Global region
1643263 – Custom button[Template/Image]: after dialog execution not return to Detail page
1643539 – Validation failed: Description is not unique within region 1 Method:[block in method_missing]
1643959 – Custom Operator Role Can Edit Tags from Datastore Tab but not Through Provider > Datastore
1644410 – syncrou.manageiq-automate : Initialize the Workspace failed
1645198 – Unexpected error encountered when trying to cancel SSA scan task
1645204 – Custom Button: Navigation with relationship table breaks button display on destination.
1646435 – Prevent Service Ordering directly from REST-API
1646561 – The Server Name and Zone Name in the configuration page is blank upon visiting.
1646564 – Bad UI after adding a schedule for report
1646571 – Embedded Ansible: Wrong message in Notifications
1646599 – need to choose date two times in timepicker to take effect
1646604 – Button to start an ansible playbook does not work under self service portal
1646605 – Custom buttons that utilize dialogs with dynamic elements not do not populate from service UI
1646606 – Getting CORS error while creating quotas via javascript
1646613 – Extra buttons on Container Provider page
1646629 – Embedded Ansible needs a retry interval. We are currently setting limit and not interval.
1646646 – Azure refresh fails with [NoMethodError]: undefined method `sku’
1647056 – Memory peak usage of allocated for collected intervals (30 day average) field does not generate within report
1647108 – Infrastructure mapping not available shown incorrectly on Migration Plan
1647188 – unable to edit tags on an infrastructure host
1647489 – [Containers] Cannot Validate Metrics Endpoint for OCP Provider
1648674 – Unable to update Cloud Volume using CFME 5.9 with OSP 14
1648948 – Tags responding to `show` with true and having no classification produce 500-level errors for URL of `/api/tags?expand=resources&attributes=category,categorization`
1648955 – No registered resource provider found for location ‘germanycentral’ and API version ‘2014-04-01’ for type ‘virtualMachines’
1648991 – [RFE] Setting Retirement for a Service in Global Region Does Not get Replicated to Local Region
1649033 – Roles with SUI privileges can’t access Services, Orders in SUI in empty appliance
1649380 – Dynamic Dropdown Multiselect: Default element is blank when loaded by another element
1649419 – SUI permissions not showing catalogs and not hiding snapshots menu
1650691 – Setting retirement date for Service via Centralized Administration raises InterRegionApiMethodRelayError
1651291 – [Regression] Static Dialogs are not Populated when Submitting API Requests for Service Catalog
1651347 – Amazon API filter limit breaks targeted refresh for more than 200 items
1651391 – Orchestration catalog items cannot be submitted because of tenant error
1653417 – CFME should not assign flavor id in OSP provider.
1653710 – Internet Explorer (IE) not able to login to CloudForms
1654436 – Remove_from_disk method is leaving VMs in an Orphaned State for VMware Provider
1654463 – Memory utilization by node is incorrect in Provider Overview page
1655081 – Catalog bundle resources not retiring
1655143 – cfme upgrade 5.8 –> 5.9 not working as it requires rh-ruby23-ruby(release) < 2.3.7
1655773 – Service not showing VMs belong to
1656168 – ansible tower items are not listed when part of service bundles
1656169 – retirement of the parent service does not retire child catalog items

6. Package List:

CloudForms Management Engine 5.9:



These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:

8. Contact:

The Red Hat security contact is <>. More contact
details at

Copyright 2018 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list

AutorJosip Papratovic
Cert idNCERT-REF-2018-12-0001-ADV
More in Preporuke
Sigurnosni nedostaci programskog paketa Mozilla Firefox

Otkriveni su sigurnosni nedostaci u programskom paketu Mozilla Firefox za operacijski sustav openSUSE. Otkriveni nedostaci potencijalnim napadačima omogućuju izazivanje DoS...