CVE-2016-4457

CloudForms Management Engine (CFME) is affected by CVE-2016-4457 due to a default SSL/TLS certificate used by the web server. Red Hat RHSA-2017:1367 documents that if an attacker could man-in-the-middle during install, they could obtain the private key uploaded with the new certificate, enabling ...

CVE-2016-4457

CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate...

PT-2017-8494 · Red Hat · Cloudforms Management Engine

Name of the Vulnerable Software and Affected Versions: CloudForms Management Engine versions prior to 5.8 Description: The issue is related to a default SSL/TLS certificate in the CloudForms Management Engine. Recommendations: For versions prior to 5.8, update to version 5.8 or later to resolve t...

Red Hat CloudForms Management Engine Information Disclosure Vulnerability

Red Hat CloudForms Management Engine is an IaaS Infrastructure as a Service cloud services solution from Red Hat, Inc. The solution creates and manages private and public clouds and has application lifecycle management capabilities. An information disclosure vulnerability exists in the Red Hat...

CFME: default certificate used across all installs

CloudForms includes a default SSL/TLS certificate for the web server. This certificate is replaced at install time. However if an attacker were able to man-in-the-middle an administrator while installing the new certificate, the attacker could get a copy of the uploaded private key allowing for...

CloudForms: cloudforms fails to properly check certificates when communicating with RHEV and OpenShift and custom CA

It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization RHEV and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensiti...

CVE-2017-7497

The dialog for creating cloud volumes cinder provider in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant...

CVE-2016-3702

Padding oracle flaw in CloudForms Management Engine aka CFME 5 allows remote attackers to obtain sensitive cleartext information...

Information disclosure

Padding oracle flaw in CloudForms Management Engine aka CFME 5 allows remote attackers to obtain sensitive cleartext information...

CVE-2016-3702

Padding oracle flaw in CloudForms Management Engine aka CFME 5 allows remote attackers to obtain sensitive cleartext information...

CVE-2016-3702

Padding oracle flaw in CloudForms Management Engine aka CFME 5 allows remote attackers to obtain sensitive cleartext information...

CVE-2016-3702

CVE-2016-3702: Padding oracle flaw in Red Hat CloudForms Management Engine (CFME) 5 enables remote attackers to obtain sensitive cleartext information. Affected component and exact root cause are described as a padding oracle vulnerability; no specific exploit details or remediation are provided ...

CloudForms: UI security issue on Openstack actions

A number of unused delete routes are present in CloudForms which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protectfromforgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting o...

Moderate: Red Hat Security Advisory: cfme, cfme-appliance, and cfme-gemset security, bug fix, and enhancement update

An update for cfme, cfme-appliance, and cfme-gemset is now available for CloudForms Management Engine 5.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

Red Hat CloudForms Management App Security Bypass Vulnerability

The Red Hat CloudForms Management Engine CFME App is a management engine application for IaaS Infrastructure as a Service cloud services solutions from Red Hat, Inc. A security bypass vulnerability exists in the Red Hat CFME App. An attacker could exploit this vulnerability to conduct a...

CVE-2017-2653

A number of unused delete routes are present in CloudForms which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protectfromforgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting o...

Red Hat CloudForms Management Engine Elevation of Privilege Vulnerability

Red Hat CloudForms Management Engine CFME is an IaaS Infrastructure as a Service cloud services solution management engine from Red Hat, Inc. An elevation of privilege vulnerability exists in Red Hat CloudForms Management Engine CFME versions prior to 5.7, which can be exploited by an attacker to...

CVE-2017-2632

A logic error in validrole in CloudForms role validation could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate privileges...

cfme: tenant administrator can create a group with higher permissions

A logic error in validrole in CloudForms role validation could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate privileges...

Moderate: Red Hat Security Advisory: CFME 5.7.1 bug fixes and enhancement update

Updated cfme packages that fix bugs and add various enhancements are now available for Red Hat CloudForms 4.2. Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is buil...