(RHSA-2018:2745) Important: CloudForms 4.5.5 security, bug fix and enhancement update

2018-09-2618:25:56

access.redhat.com

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.016

Percentile

87.7%

JSON

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development.

Security Fix(es):

rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)
cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root (CVE-2018-10905)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Stephen Gappinger (American Express) for reporting CVE-2018-10905.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.

OSVersionArchitecturePackageVersionFilename
RedHat7x86_64cfme-gemset< 5.8.5.1-1.el7cfcfme-gemset-5.8.5.1-1.el7cf.x86_64.rpm
RedHat7x86_64ansible-tower-setup< 3.1.8-1.el7atansible-tower-setup-3.1.8-1.el7at.x86_64.rpm
RedHat7x86_64ansible-tower-server< 3.1.8-1.el7atansible-tower-server-3.1.8-1.el7at.x86_64.rpm
RedHat7x86_64rh-postgresql95-postgresql-pglogical-debuginfo< 1.2.1-2.el7cfrh-postgresql95-postgresql-pglogical-debuginfo-1.2.1-2.el7cf.x86_64.rpm
RedHat7x86_64cfme-debuginfo< 5.8.5.1-1.el7cfcfme-debuginfo-5.8.5.1-1.el7cf.x86_64.rpm
RedHat7x86_64cfme-appliance-debuginfo< 5.8.5.1-1.el7cfcfme-appliance-debuginfo-5.8.5.1-1.el7cf.x86_64.rpm
RedHat7x86_64cfme-appliance< 5.8.5.1-1.el7cfcfme-appliance-5.8.5.1-1.el7cf.x86_64.rpm
RedHat7x86_64cfme< 5.8.5.1-1.el7cfcfme-5.8.5.1-1.el7cf.x86_64.rpm
RedHat7x86_64rh-postgresql95-postgresql-pglogical< 1.2.1-2.el7cfrh-postgresql95-postgresql-pglogical-1.2.1-2.el7cf.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	7	x86_64	cfme-gemset	< 5.8.5.1-1.el7cf	cfme-gemset-5.8.5.1-1.el7cf.x86_64.rpm
RedHat	7	x86_64	ansible-tower-setup	< 3.1.8-1.el7at	ansible-tower-setup-3.1.8-1.el7at.x86_64.rpm
RedHat	7	x86_64	ansible-tower-server	< 3.1.8-1.el7at	ansible-tower-server-3.1.8-1.el7at.x86_64.rpm
RedHat	7	x86_64	rh-postgresql95-postgresql-pglogical-debuginfo	< 1.2.1-2.el7cf	rh-postgresql95-postgresql-pglogical-debuginfo-1.2.1-2.el7cf.x86_64.rpm
RedHat	7	x86_64	cfme-debuginfo	< 5.8.5.1-1.el7cf	cfme-debuginfo-5.8.5.1-1.el7cf.x86_64.rpm
RedHat	7	x86_64	cfme-appliance-debuginfo	< 5.8.5.1-1.el7cf	cfme-appliance-debuginfo-5.8.5.1-1.el7cf.x86_64.rpm
RedHat	7	x86_64	cfme-appliance	< 5.8.5.1-1.el7cf	cfme-appliance-5.8.5.1-1.el7cf.x86_64.rpm
RedHat	7	x86_64	cfme	< 5.8.5.1-1.el7cf	cfme-5.8.5.1-1.el7cf.x86_64.rpm
RedHat	7	x86_64	rh-postgresql95-postgresql-pglogical	< 1.2.1-2.el7cf	rh-postgresql95-postgresql-pglogical-1.2.1-2.el7cf.x86_64.rpm