-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Critical: CloudForms 5.0.7 bug fix and enhancement update
Advisory ID:       RHSA-2020:3358-01
Product:           Red Hat CloudForms
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3358
Issue date:        2020-08-06
Cross references:  RHSA-2020:2480
CVE Names:         CVE-2020-10777 CVE-2020-10778 CVE-2020-10779 
                   CVE-2020-10780 CVE-2020-10783 CVE-2020-14296 
                   CVE-2020-14324 CVE-2020-14325 
====================================================================
1. Summary:

An update is now available for CloudForms Management Engine 5.11.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.11 - noarch, x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* cfme: CloudForms: CSV Injection in Orchestration Templates
(CVE-2020-10780)

* cfme: CloudForms: Server-Side Request Forgery (SSRF) in Ansible Tower
Provider (CVE-2020-14296)

* cfme: CloudForms: Out-of-band OS Command Injection through conversion
host (CVE-2020-14324)

* cfme: CloudForms: User Impersonation in the API for OIDC and SAML
(CVE-2020-14325)

* cfme-gemset: CloudForms: Cross Site Scripting in report menu title / HTML
Code Injection (CVE-2020-10777)

* cfme-gemset: CloudForms: Business logic bypass through widgets
(CVE-2020-10778)

* cfme-gemset: CloudForms: Missing functional level access control & IDOR
lead to compromise (CVE-2020-10779)

* cfme-gemset: CloudForms: Missing access control leads to escalation of
admin group privileges (CVE-2020-10783)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Red Hat would like to thank Purnachand Pulahari (IBM) and Ranjit Kumar
Singh (IBM) for reporting CVE-2020-10777, CVE-2020-10778, CVE-2020-10779,
CVE-2020-10780, CVE-2020-10783, CVE-2020-14296 and CVE-2020-14324.
CVE-2020-14325 was discovered by Alberto Bellotti (Red Hat).

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document linked to in the
References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted
after installing this update. After installing the updated packages, the
httpd daemon will be restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1671330 - [RFE] Support for disk resize on RHV
1713212 - In service order page it show the  default value even though its not selected in dialog
1734629 - [RFE] set_stats - Support object update using playbook set_stats naming convention
1734630 - [RFE] set_stats - Support setting service_var from set_stats with naming convention
1741310 - "Add a provider" button for Ansible Tower provider disappears after clicking item in accordion
1753586 - Imported System Domains can not be deleted in CloudForms
1757128 - [RFE] Support Events from Service Telemetry Framework in OSP 16.1
1770197 - Upload custom image for service catalog items via API fails.
1809033 - [RFE] Create virt-v2v-wrapper state file as early as possible
1810040 - Migration progress status in virt-v2v-wrapper.log gets skipped
1810477 - The UI to create an embedded Ansible service allows for invalid combinations of options
1826410 - Build of rugged doesn't allow for SSH auth
1832278 - remove public pool while configuring NTP settings
1834219 - Unable to edit service dialogs
1836125 - User not able to view Ansible Service task output after upgrade to 5.0
1836158 - the url setting for ui is nil in central region if set to https in a sub region
1837993 - [RFE] Ability to order a request based on the previous one.
1838704 - [RFE] Add ability to select all the projects under a specific tenant while creating a Catalog item
1839770 - Retirement of a vm from central region fails with "invalid system authentication token specified"
1845281 - EmbeddedAnsible UI doesn't allow for file:// git urls
1846281 - deadlock errors updating and reindexing miq_workers table on 5.11.5
1847410 - Waiting for IP address is very long after migration
1847605 - CVE-2020-10777 CloudForms: Cross Site Scripting in report menu title / HTML Code Injection
1847628 - CVE-2020-10778 CloudForms: Business logic bypass through widgets
1847647 - CVE-2020-10779 CloudForms: Missing functional level access control & IDOR lead to compromise
1847794 - CVE-2020-10780 CloudForms: CSV Injection in Orchestration Templates
1847811 - CVE-2020-10783 CloudForms: Missing access control leads to escalation of admin group privileges
1847860 - CVE-2020-14296 CloudForms: Server-Side Request Forgery (SSRF) in Ansible Tower Provider
1847884 - [v2v] Failed to enable conversion host - failure: "No package nbdkit-plugin-python2 available"
1847898 - [v2v] Conversion host enable playbook looks for vddk version 7 while version 6.7 was provided
1848265 - Provider Refresh fails for OpenStack with error 'no implicit conversion of nil into String'
1850952 - [v2v] "TypeError: cannot use a bytes pattern on a string-like object" when running conversion host enable playbook
1855713 - CVE-2020-14324 CloudForms: Out-of-band OS Command Injection through conversion host
1855739 - CVE-2020-14325 CloudForms: User Impersonation in the API for OIDC and SAML

6. Package List:

CloudForms Management Engine 5.11:

Source:
cfme-5.11.7.3-1.el8cf.src.rpm
cfme-amazon-smartstate-5.11.7.3-1.el8cf.src.rpm
cfme-appliance-5.11.7.3-1.el8cf.src.rpm
cfme-gemset-5.11.7.3-1.el8cf.src.rpm
v2v-conversion-host-1.16.2-3.el8ev.src.rpm

noarch:
v2v-conversion-host-ansible-1.16.2-3.el8ev.noarch.rpm

x86_64:
cfme-5.11.7.3-1.el8cf.x86_64.rpm
cfme-amazon-smartstate-5.11.7.3-1.el8cf.x86_64.rpm
cfme-appliance-5.11.7.3-1.el8cf.x86_64.rpm
cfme-appliance-common-5.11.7.3-1.el8cf.x86_64.rpm
cfme-appliance-tools-5.11.7.3-1.el8cf.x86_64.rpm
cfme-gemset-5.11.7.3-1.el8cf.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-10777
https://access.redhat.com/security/cve/CVE-2020-10778
https://access.redhat.com/security/cve/CVE-2020-10779
https://access.redhat.com/security/cve/CVE-2020-10780
https://access.redhat.com/security/cve/CVE-2020-10783
https://access.redhat.com/security/cve/CVE-2020-14296
https://access.redhat.com/security/cve/CVE-2020-14324
https://access.redhat.com/security/cve/CVE-2020-14325
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/documentation/en-us/red_hat_cloudforms/5.0/html/release_notes

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXywU6tzjgjWX9erEAQidrA/+IMA2eXfKF1oLtcHQ6Il0SeFT4FLHWCQw
jahD/Vn8ZZy8BFWG9Go5T4dkbC9yLGeYSZ6I1tvNEZ6awF3GR6l/XwVYEVG7sm01
Hz6B342HreaMVNILw8+qxqComPRJsCkncK/61+ixl5QQgFIvk3svO9lxt0pgJCQQ
4KodkMgl6hRoj26KapjWj7CqDx1KJg/hkkaev8ljOxTXbaRXux7a6/X+1MiMY2km
1/dcgfa6RJvCKL+JHTGshfNP2nTAN4KQUDNbW2CZMU0Ww4LOdkXudyv9Ql3U9HGs
Q60oMLDa8d9L6EVrucTL3P1ObDY6vW/uIwJJ4sLESwyqJJYJOrUEAtT2rEV1Cbb3
BwgQ9utWsJT+DQfMoIQSkuotShRJHA6NRRgQVwTYzS+kj60QgXkI6GY0LS3VrBKv
8FdHEXbZHq5xJ/nm7uVQ0c0jQcy54mStbuWzpI+z62rNntZQsJFjFwMKY7hebyNX
Mzl0WFa/9glTXHdFSTK1B0wsDmDUIKCD8po0XBd5OHz5Ymxv4QCXh36V8Hc/cS+w
reNut1wbde18TYODi9ZDzDRbJk3rIexuCAHnb+ej2x50ShuYZv/PPB1ZVkYhiWJg
Qn33n6KVXb6NioTXAEssPjffhTFatwUKDkgQozB6YByHITY1/84IaKhVxlQlhjPA
QcxDbp+9Df8=ge0K
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-3358:01 Critical: CloudForms 5.0.7 bug fix and

An update is now available for CloudForms Management Engine 5.11

Summary

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
Security Fix(es):
* cfme: CloudForms: CSV Injection in Orchestration Templates (CVE-2020-10780)
* cfme: CloudForms: Server-Side Request Forgery (SSRF) in Ansible Tower Provider (CVE-2020-14296)
* cfme: CloudForms: Out-of-band OS Command Injection through conversion host (CVE-2020-14324)
* cfme: CloudForms: User Impersonation in the API for OIDC and SAML (CVE-2020-14325)
* cfme-gemset: CloudForms: Cross Site Scripting in report menu title / HTML Code Injection (CVE-2020-10777)
* cfme-gemset: CloudForms: Business logic bypass through widgets (CVE-2020-10778)
* cfme-gemset: CloudForms: Missing functional level access control & IDOR lead to compromise (CVE-2020-10779)
* cfme-gemset: CloudForms: Missing access control leads to escalation of admin group privileges (CVE-2020-10783)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Purnachand Pulahari (IBM) and Ranjit Kumar Singh (IBM) for reporting CVE-2020-10777, CVE-2020-10778, CVE-2020-10779, CVE-2020-10780, CVE-2020-10783, CVE-2020-14296 and CVE-2020-14324. CVE-2020-14325 was discovered by Alberto Bellotti (Red Hat).
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
If the postgresql service is running, it will be automatically restarted after installing this update. After installing the updated packages, the httpd daemon will be restarted automatically.

References

https://access.redhat.com/security/cve/CVE-2020-10777 https://access.redhat.com/security/cve/CVE-2020-10778 https://access.redhat.com/security/cve/CVE-2020-10779 https://access.redhat.com/security/cve/CVE-2020-10780 https://access.redhat.com/security/cve/CVE-2020-10783 https://access.redhat.com/security/cve/CVE-2020-14296 https://access.redhat.com/security/cve/CVE-2020-14324 https://access.redhat.com/security/cve/CVE-2020-14325 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/documentation/en-us/red_hat_cloudforms/5.0/html/release_notes

Package List

CloudForms Management Engine 5.11:
Source: cfme-5.11.7.3-1.el8cf.src.rpm cfme-amazon-smartstate-5.11.7.3-1.el8cf.src.rpm cfme-appliance-5.11.7.3-1.el8cf.src.rpm cfme-gemset-5.11.7.3-1.el8cf.src.rpm v2v-conversion-host-1.16.2-3.el8ev.src.rpm
noarch: v2v-conversion-host-ansible-1.16.2-3.el8ev.noarch.rpm
x86_64: cfme-5.11.7.3-1.el8cf.x86_64.rpm cfme-amazon-smartstate-5.11.7.3-1.el8cf.x86_64.rpm cfme-appliance-5.11.7.3-1.el8cf.x86_64.rpm cfme-appliance-common-5.11.7.3-1.el8cf.x86_64.rpm cfme-appliance-tools-5.11.7.3-1.el8cf.x86_64.rpm cfme-gemset-5.11.7.3-1.el8cf.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2020:3358-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3358
Issued Date: : 2020-08-06
Cross references: RHSA-2020:2480
CVE Names: CVE-2020-10777 CVE-2020-10778 CVE-2020-10779 CVE-2020-10780 CVE-2020-10783 CVE-2020-14296 CVE-2020-14324 CVE-2020-14325

Topic

An update is now available for CloudForms Management Engine 5.11.Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

CloudForms Management Engine 5.11 - noarch, x86_64


Bugs Fixed

1671330 - [RFE] Support for disk resize on RHV

1713212 - In service order page it show the default value even though its not selected in dialog

1734629 - [RFE] set_stats - Support object update using playbook set_stats naming convention

1734630 - [RFE] set_stats - Support setting service_var from set_stats with naming convention

1741310 - "Add a provider" button for Ansible Tower provider disappears after clicking item in accordion

1753586 - Imported System Domains can not be deleted in CloudForms

1757128 - [RFE] Support Events from Service Telemetry Framework in OSP 16.1

1770197 - Upload custom image for service catalog items via API fails.

1809033 - [RFE] Create virt-v2v-wrapper state file as early as possible

1810040 - Migration progress status in virt-v2v-wrapper.log gets skipped

1810477 - The UI to create an embedded Ansible service allows for invalid combinations of options

1826410 - Build of rugged doesn't allow for SSH auth

1832278 - remove public pool while configuring NTP settings

1834219 - Unable to edit service dialogs

1836125 - User not able to view Ansible Service task output after upgrade to 5.0

1836158 - the url setting for ui is nil in central region if set to https in a sub region

1837993 - [RFE] Ability to order a request based on the previous one.

1838704 - [RFE] Add ability to select all the projects under a specific tenant while creating a Catalog item

1839770 - Retirement of a vm from central region fails with "invalid system authentication token specified"

1845281 - EmbeddedAnsible UI doesn't allow for file:// git urls

1846281 - deadlock errors updating and reindexing miq_workers table on 5.11.5

1847410 - Waiting for IP address is very long after migration

1847605 - CVE-2020-10777 CloudForms: Cross Site Scripting in report menu title / HTML Code Injection

1847628 - CVE-2020-10778 CloudForms: Business logic bypass through widgets

1847647 - CVE-2020-10779 CloudForms: Missing functional level access control & IDOR lead to compromise

1847794 - CVE-2020-10780 CloudForms: CSV Injection in Orchestration Templates

1847811 - CVE-2020-10783 CloudForms: Missing access control leads to escalation of admin group privileges

1847860 - CVE-2020-14296 CloudForms: Server-Side Request Forgery (SSRF) in Ansible Tower Provider

1847884 - [v2v] Failed to enable conversion host - failure: "No package nbdkit-plugin-python2 available"

1847898 - [v2v] Conversion host enable playbook looks for vddk version 7 while version 6.7 was provided

1848265 - Provider Refresh fails for OpenStack with error 'no implicit conversion of nil into String'

1850952 - [v2v] "TypeError: cannot use a bytes pattern on a string-like object" when running conversion host enable playbook

1855713 - CVE-2020-14324 CloudForms: Out-of-band OS Command Injection through conversion host

1855739 - CVE-2020-14325 CloudForms: User Impersonation in the API for OIDC and SAML


Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved