Red Hat CloudForms is an on-premise hybrid cloud Infrastructure-as-a-Service (IaaS) product that lets you create and manage private and public clouds.
This update fixes bugs in and adds enhancements to the System Engine packages, and upgrades the system to CloudForms 1.1.
This update also fixes the following security issues:
It was discovered that Katello did not properly check user permissions when handling certain requests. An authenticated remote attacker could use this flaw to download consumer certificates or change settings of other users' systems if they knew the target system's UUID. (CVE-2012-5603)
It was discovered that Pulp logged administrative passwords to a world readable log file. A local attacker could use this flaw to control systems deployed and managed by CloudForms. (CVE-2012-3538)
It was discovered that the Pulp configuration file pulp.conf was installed as world readable. A local attacker could use this flaw to view the administrative password, allowing them to control systems deployed and managed by CloudForms. (CVE-2012-4574)
It was discovered that grinder used insecure permissions for its cache directory. A local attacker could use this flaw to access or modify files in the cache. (CVE-2012-5605)
The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat; CVE-2012-3538 was discovered by James Laska of Red Hat; CVE-2012-4574 was discovered by Kurt Seifried of Red Hat; and CVE-2012-5605 was discovered by James Labocki of Red Hat.
After upgrading to these new packages, follow the instructions in the "4.1. Upgrading CloudForms System Engine" section of the CloudForms 1.1 Installation Guide:
To view the full list of changes in this update, view the CloudForms Technical Notes:
Users are advised to upgrade to these updated CloudForms System Engine packages, which resolve these issues and add these enhancements.