Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

RedHat: RHSA-2020-4134-01 Moderate: CloudForms API Security Fix

red hat
Calendar Grey September 30, 2020
Dist Redhat Esm H88
Red Hat has issued an update for CloudForms 5.11 to address security vulnerabilities and fix bugs, enhancing overall system security and stability
An update is now available for CloudForms Management Engine 5.11

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted after installing this update. After installing the updated packages, the httpd daemon will be restarted automatically.

Summary

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
Security Fix(es):
* cfme-gemset: CloudForms: Cross Site Request Forgery in API notifications (CVE-2020-14369)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

Topics%20covered

Topics Covered

security advisory moderate update red hat cross site request forgery cloudforms api notifications

References

https://access.redhat.com/security/cve/CVE-2020-14369 https://access.redhat.com/security/updates/classification/#moderate

Package List

CloudForms Management Engine 5.11:
Source: ansible-tower-3.6.5-1.el8at.src.rpm cfme-5.11.8.1-1.el8cf.src.rpm cfme-amazon-smartstate-5.11.8.1-1.el8cf.src.rpm cfme-appliance-5.11.8.1-1.el8cf.src.rpm cfme-gemset-5.11.8.1-1.el8cf.src.rpm repmgr10-4.0.6-4.el8cf.src.rpm
x86_64: ansible-tower-venv-ansible-3.6.5-1.el8at.x86_64.rpm cfme-5.11.8.1-1.el8cf.x86_64.rpm cfme-amazon-smartstate-5.11.8.1-1.el8cf.x86_64.rpm cfme-appliance-5.11.8.1-1.el8cf.x86_64.rpm cfme-appliance-common-5.11.8.1-1.el8cf.x86_64.rpm cfme-appliance-tools-5.11.8.1-1.el8cf.x86_64.rpm cfme-gemset-5.11.8.1-1.el8cf.x86_64.rpm repmgr10-4.0.6-4.el8cf.x86_64.rpm repmgr10-debuginfo-4.0.6-4.el8cf.x86_64.rpm repmgr10-debugsource-4.0.6-4.el8cf.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Advisory ID: RHSA-2020:4134-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4134
Issue date: 2020-09-30
Cross references: RHSA-2020:3358

Topic

An update is now available for CloudForms Management Engine 5.11.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory moderate update red hat cross site request forgery cloudforms api notifications

Relevant Releases Architectures

CloudForms Management Engine 5.11 - x86_64

Bugs Fixed

1672358 - [RFE] Unable to create Service Template via the API

1686077 - [RFE] : Feature request to be able to add a default date/time to Timepicker in dialog

1706848 - Not able to set specific dates and time in for timepicker in service dialog

1713205 - Dialog Dropdown value is not getting selected in first attempt

1723864 - Openstack Director nodes does not show OpenStack Service Status section - OSPD 15

1741633 - Invalid dynamic field causes service dialog to not be save-able

1772762 - [RFE] Size of disks added is not shown when VM_Reconfigure

1794551 - Security group/rule create/delete triggers targeted refresh but doesn't update in UI

1804263 - Mapping fail when selecting public network not directly belongs to the selected project.

1825961 - SmartState sometimes fails to find /var/lib/rpm/Packages file, so software collection reports no packages installed

1846273 - Cloudforms no longer sees vms in resource pools after some targetted refreshes are ran

1846623 - [RFE] "CPU Affinity" not updated for VMs on RHV providers1846624 - [RFE] "Platform Tools" Status is set to "N/A" for all VMs on RHV providers1851087 - [RFE] Scheduled Retirement - Check for Existing "active" Requests before creating new Request.

1856470 - repmgr10.service is failing to start on cfme db appliance reboot

1858079 - using escalate privilage with a nil become_password causes playbooks to get stuck waiting for a password

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here