RHSA-2018:3816 - Security Advisory

Topic

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

Security Fix(es):

• postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915)
• postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements (CVE-2018-10925)
• postgresql: pg_upgrade creates file of sensitive metadata under prevailing umask (CVE-2018-1053)
• postgresql: Uncontrolled search path element in pg_dump and other client applications (CVE-2018-1058)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank the PostgreSQL project for reporting CVE-2018-10915, CVE-2018-10925 and CVE-2018-1053. Upstream acknowledges Andrew Krasichkov as the original reporter of CVE-2018-10915; and Tom Lane as the original reporter of CVE-2018-1053.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted after installing this update. After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

• Red Hat CloudForms 4.6 x86_64

Fixes

• BZ - 1539619 - CVE-2018-1053 postgresql: pg_upgrade creates file of sensitive metadata under prevailing umask
• BZ - 1547044 - CVE-2018-1058 postgresql: Uncontrolled search path element in pg_dump and other client applications
• BZ - 1609891 - CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses
• BZ - 1610547 - [v2v] [RFE] Migrating VM with multiple DPG's fail to get assigned with correct NICs on RHV
• BZ - 1612619 - CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements
• BZ - 1618836 - Changing action order in catalog bundle removes resource
• BZ - 1623562 - [RFE] Don't show allocated IPs in dropdown while assigning floating IPs via CloudForms
• BZ - 1634809 - Button enablement and visibility by tag not working for buttons on Ansible services
• BZ - 1635034 - In the self service portal, reconfigure service shows "No Provisioning Dialog Available"
• BZ - 1635255 - Reports do not run when submitted through a UI which does not have reporting role on.
• BZ - 1635759 - Buttons not sorted in button group on Ansible Service
• BZ - 1635788 - Reverting snapshot fails for OpenStack instances
• BZ - 1638501 - Cannot login with an uppercase letter in username
• BZ - 1639351 - WebSocket push notifications no longer work in SUI
• BZ - 1639353 - [URI::InvalidComponentError]: bad component(expected host component): Method:[block in method_missing]
• BZ - 1639364 - Cannot change appliance name
• BZ - 1640194 - Service Dialogs are slow
• BZ - 1640258 - Update miqssh utilities.
• BZ - 1640629 - Variables field in provisioning a new service catalog item (Ansible playbook) changes when typing information into it
• BZ - 1640631 - User ID for Service Retirement Task Changes During Retires When First Retirement Fails
• BZ - 1641771 - Copying a custom report from a custom report menu changes source report name
• BZ - 1643042 - [RFE][Providers][RHOS] - Some flavors not visible in Instance Type dropdown when creating instance
• BZ - 1643261 - Unable to retire service via Global region
• BZ - 1643263 - Custom button[Template/Image]: after dialog execution not return to Detail page
• BZ - 1643539 - Validation failed: Description is not unique within region 1 Method:[block in method_missing]
• BZ - 1643959 - Custom Operator Role Can Edit Tags from Datastore Tab but not Through Provider > Datastore
• BZ - 1644410 - syncrou.manageiq-automate : Initialize the Workspace failed
• BZ - 1645198 - Unexpected error encountered when trying to cancel SSA scan task
• BZ - 1645204 - Custom Button: Navigation with relationship table breaks button display on destination.
• BZ - 1646435 - Prevent Service Ordering directly from REST-API
• BZ - 1646561 - The Server Name and Zone Name in the configuration page is blank upon visiting.
• BZ - 1646564 - Bad UI after adding a schedule for report
• BZ - 1646571 - Embedded Ansible: Wrong message in Notifications
• BZ - 1646599 - need to choose date two times in timepicker to take effect
• BZ - 1646604 - Button to start an ansible playbook does not work under self service portal
• BZ - 1646605 - Custom buttons that utilize dialogs with dynamic elements not do not populate from service UI
• BZ - 1646606 - Getting CORS error while creating quotas via javascript
• BZ - 1646613 - Extra buttons on Container Provider page
• BZ - 1646629 - Embedded Ansible needs a retry interval. We are currently setting limit and not interval.
• BZ - 1646646 - Azure refresh fails with [NoMethodError]: undefined method `sku'
• BZ - 1647056 - Memory peak usage of allocated for collected intervals (30 day average) field does not generate within report
• BZ - 1647108 - Infrastructure mapping not available shown incorrectly on Migration Plan
• BZ - 1647188 - unable to edit tags on an infrastructure host
• BZ - 1647489 - [Containers] Cannot Validate Metrics Endpoint for OCP Provider
• BZ - 1648674 - Unable to update Cloud Volume using CFME 5.9 with OSP 14
• BZ - 1648948 - Tags responding to `show` with true and having no classification produce 500-level errors for URL of `/api/tags?expand=resources&attributes=category,categorization`
• BZ - 1648955 - No registered resource provider found for location 'germanycentral' and API version '2014-04-01' for type 'virtualMachines'
• BZ - 1648991 - [RFE] Setting Retirement for a Service in Global Region Does Not get Replicated to Local Region
• BZ - 1649033 - Roles with SUI privileges can't access Services, Orders in SUI in empty appliance
• BZ - 1649380 - Dynamic Dropdown Multiselect: Default element is blank when loaded by another element
• BZ - 1649419 - SUI permissions not showing catalogs and not hiding snapshots menu
• BZ - 1650691 - Setting retirement date for Service via Centralized Administration raises InterRegionApiMethodRelayError
• BZ - 1651291 - [Regression] Static Dialogs are not Populated when Submitting API Requests for Service Catalog
• BZ - 1651347 - Amazon API filter limit breaks targeted refresh for more than 200 items
• BZ - 1651391 - Orchestration catalog items cannot be submitted because of tenant error
• BZ - 1653417 - CFME should not assign flavor id in OSP provider.
• BZ - 1653710 - Internet Explorer (IE) not able to login to CloudForms
• BZ - 1654436 - Remove_from_disk method is leaving VMs in an Orphaned State for VMware Provider
• BZ - 1654463 - Memory utilization by node is incorrect in Provider Overview page
• BZ - 1655081 - Catalog bundle resources not retiring
• BZ - 1655143 - cfme upgrade 5.8 --> 5.9 not working as it requires rh-ruby23-ruby(release) < 2.3.7
• BZ - 1655773 - Service not showing VMs belong to
• BZ - 1656168 - ansible tower items are not listed when part of service bundles
• BZ - 1656169 - retirement of the parent service does not retire child catalog items

CVEs

• CVE-2018-1053
• CVE-2018-1058
• CVE-2018-10915
• CVE-2018-10925

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.6/html/release_notes