Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
It was found that CloudForms Management Engine exposed SQL filters via the REST API without any input escaping. An authenticated user could use this flaw to perform SQL injection attacks against the CloudForms Management Engine database. (CVE-2014-7814)
It was found that the CloudForms Management Engine customization template used a default root password for newly created images if no root password was specified. (CVE-2014-3692)
These issues were discovered by the Red Hat CloudForms Team.
This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Technical Notes document linked to in the References section.
All cfme users are advised to upgrade to these updated packages, which contain correct these issues and add these enhancements.