8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
The following packages have been upgraded to a later upstream version: ansible-tower (3.1.5), cfme (5.8.2.3), cfme-appliance (5.8.2.3), cfme-gemset (5.8.2.3), rabbitmq-server (3.6.9), rh-ruby23-rubygem-nokogiri (1.8.1), supervisor (3.1.4). (BZ#1476286, BZ#1485484)
Security Fix(es):
A flaw was found in Tower’s interface with SCM repositories. If a Tower project (SCM repository) definition does not have the ‘delete before update’ flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as. (CVE-2017-12148)
A vulnerability was found in the XML-RPC interface in supervisord. When processing malformed commands, an attacker can cause arbitrary shell commands to be executed on the server as the same user as supervisord. Exploitation requires the attacker to first be authenticated to the supervisord service. (CVE-2017-11610)
The CVE-2017-12148 issue was discovered by Ryan Petrello (Red Hat).
Additional Changes:
This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 7 | x86_64 | ansible-tower-setup | <Â 3.1.5-1.el7at | ansible-tower-setup-3.1.5-1.el7at.x86_64.rpm |
RedHat | 7 | x86_64 | ansible-tower-server | <Â 3.1.5-1.el7at | ansible-tower-server-3.1.5-1.el7at.x86_64.rpm |
RedHat | 7 | x86_64 | rh-ruby23-rubygem-nokogiri | <Â 1.8.1-2.el7cf | rh-ruby23-rubygem-nokogiri-1.8.1-2.el7cf.x86_64.rpm |
RedHat | 7 | x86_64 | rh-ruby23-rubygem-nokogiri-debuginfo | <Â 1.8.1-2.el7cf | rh-ruby23-rubygem-nokogiri-debuginfo-1.8.1-2.el7cf.x86_64.rpm |
RedHat | 7 | x86_64 | cfme-appliance | <Â 5.8.2.3-1.el7cf | cfme-appliance-5.8.2.3-1.el7cf.x86_64.rpm |
RedHat | 7 | x86_64 | cfme-gemset | <Â 5.8.2.3-1.el7cf | cfme-gemset-5.8.2.3-1.el7cf.x86_64.rpm |
RedHat | 7 | x86_64 | cfme-appliance-debuginfo | <Â 5.8.2.3-1.el7cf | cfme-appliance-debuginfo-5.8.2.3-1.el7cf.x86_64.rpm |
RedHat | 7 | x86_64 | cfme-debuginfo | <Â 5.8.2.3-1.el7cf | cfme-debuginfo-5.8.2.3-1.el7cf.x86_64.rpm |
RedHat | 7 | noarch | supervisor | <Â 3.1.4-1.el7 | supervisor-3.1.4-1.el7.noarch.rpm |
RedHat | 7 | x86_64 | cfme | <Â 5.8.2.3-1.el7cf | cfme-5.8.2.3-1.el7cf.x86_64.rpm |
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%