Executive Summary

Summary
Title CloudForms 5.0.1 security, bug fix and enhancement update
Informations
Name RHSA-2019:4201 First vendor Publication 2019-12-12
Vendor RedHat Last vendor Modification 2019-12-12
Severity (Vendor) N/A Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Cvss Base Score 7.1 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

An update is now available for CloudForms Management Engine 5.11.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.11 - noarch, x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

Security Fix(es):

* cfme: rubygem-rubyzip denial of service via crafted ZIP file (CVE-2019-16892)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

4. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted after installing this update. After installing the updated packages, the httpd daemon will be restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1713400 - [RFE] Cloud Key pair don't have relationships with owner and group that build this key 1730066 - Unable to view AWS keypair list as tenant_administrator 1747179 - [Regression] [ActionView::Template::Error] undefined method `tenant_group?' while setting ownership for key pairs 1767548 - Remove .py extension from calls to virt-v2v-wrapper 1767549 - Run the preflight check of migration task before waiting for a conversion host 1767550 - [RFE] Add ability to remove all snapshots asynchronously 1767645 - [RFE] Hide the Configuration -> Database screen 1767646 - Unassigned buttons of a Service shows when its Catalog Item has custom buttons 1767647 - Unable to access "Automate/Requests" tab for a role without exposing "Service/Requests" 1767648 - Server Error (API) when creating Orchestration Template with duplicate content 1767656 - [Regression] Unable to capture memory metric from Azure instances 1767659 - Chargeback report preview fails 1767660 - Service Requests Requester dropdown not sorted 1767774 - appliance_console_cli returns 0 on failure 1767775 - [RFE] Add AWS Bahrain region to CFME 1767776 - [RFE] - Update Host/Node filter to reflect supported versions of ESX 1767777 - Typo on list of Host/Nodes global filters -- Status / Orphaned 1767783 - [RFE] Dis-allow the addition of ESX hosts directly 1767784 - Unable to receive "generalize" event from Azure after generalizing an instance 1767786 - API should not declare HTTP DELETE verb on pxe_servers collection 1767788 - The UI warning about RSA is deprecated and not true anymore. 1767789 - Passwords stored in variables(extra_vars) are visible in clear text in the Appliance evm.log 1767790 - there are exceptions "rescue in type_cast" in logs in global and remote region appliances 1767791 - Chargeback reports not working 1767796 - Add support for VM conversion host in RHV 1767809 - UI crashes when going to Details of Azure Network Port somehow associated to Load Balancers 1767810 - Traceback when clicking on Overview > Chargeback > Reports 1767811 - [RHV] Last Boot Time is "N/A" for VM if you shutdown guest 1767818 - [Regression] top_output.log only showing ruby and not the process names 1767819 - unable to remove duplicate guest devices due to memory 1767821 - [RFE] Remove list view button on my service sui page if there is no use of it 1767823 - [RFE] Generic Object builder tab cycle missing the add (commit) remove buttons 1767824 - multiple workers start the same retirement when retirement date is reached 1767833 - [UI] Erroneous behavior of spinner and spinner box in advanced search loading 1767834 - Refresh of OpenShift provider in CloudForms happen to panic apiserver 1767835 - Changing groups with a user assigned to multiple groups logs out of appliance 1767836 - Choice in Drop Down that References Category (Tag Control Item) is Incorrect 1767837 - [RFE] Automating the generation of widget content Via RESTAPI 1767880 - evm.log is full of error messages "cannot obtain exclusive access to locked queue" 1767881 - Host creds validation fails if host's ssh key has changed before 1767885 - [RFE] VMware guests are incorrectly marked as linked_clone true, remove attribute 1767886 - [RFE] custom service catalog icons being deleted are not actually deleted 1767895 - [NoMethodError]: undefined method `path' for nil:NilClass Method:[block (2 levels) in ] during scheduled NFS backup 1767896 - Lifecycle retirement fails for user that no longer has groups 1767901 - [RFE] automate method to delete a tag from a category 1768456 - Date picker takes a date previous to what is selected in the dialog 1768517 - [RFE] validate infra mappings 1768520 - [v2v] Ordering a migration plan, that contains MIGRATED VM/s, fails with an unclear error message. 1768525 - Remove Automate code for TransformationHost 1768530 - Add conversion host validation for config params 1768576 - Sporadic 404 Error when deleting custom button on generic object class 1768638 - [RFE] Import/export schedules to replicate on other sites 1771298 - CVE-2019-16892 cfme: rubygem-rubyzip denial of service via crafted ZIP file 1771737 - ping endpoint fails with "Error caught: [ActionView::MissingTemplate] Missing template ping/index" 1773666 - [RFE] Custom button: generic class level button deletion not showing a specific flash message 1773667 - Incorrect flash when custom button under generic object class is deleted 1775684 - Need the ability to configure the appliance for SAML using the appliance console CLI.

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2019-4201.html

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2
Application 2
Os 3

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2020-03-19 13:19:44
  • First insertion