(RHSA-2016:2091) Important: CFME security, and bug fix update

ID RHSA-2016:2091
Type redhat
Reporter RedHat
Modified 2016-10-20T18:08:44


Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

Security Fix(es):

  • CloudForms did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM. (CVE-2016-7071)

This update also fixes several bugs. Documentation for these changes is available in the Release Notes linked to in the References section.

All CFME users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.