Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2017:1601
HistoryJun 28, 2017 - 2:35 p.m.

(RHSA-2017:1601) Important: CFME 5.7.3 security, bug fix and enhancement update

2017-06-2814:35:04
access.redhat.com
17

0.001 Low

EPSS

Percentile

48.7%

JSON

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

rh-ruby23-rubygem-nokogiri provides Nokogiri, which is an HTML, XML, SAX,
and Reader parser. Among Nokogiri’s many features is the ability to search
documents using XPath or CSS3 selectors.

rh-ruby23-rubygem-ovirt-engine-sdk4 provides the ruby SDK for the oVirt
Engine API.

The following packages have been upgraded to a later upstream version: cfme
(5.7.3.2), cfme-gemset (5.7.3.2), rh-ruby23-rubygem-nokogiri (1.7.2), cfme-appliance (5.7.3.2), rh-ruby23-rubygem-ovirt-engine-sdk4 (4.1.5). (BZ#1442774, BZ#1459319)

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Technical Notes document linked to in the References section.

Security Fix(es):

  • CloudForms includes a default SSL/TLS certificate for the web server.
    This certificate is replaced at install time. However if an attacker were
    able to man-in-the-middle an administrator while installing the new
    certificate, the attacker could get a copy of the uploaded private key allowing for future attacks. (CVE-2016-4457)

  • The dialog for creating cloud volumes (cinder provider) in CloudForms
    does not filter cloud tenants by user. An attacker with the ability to
    create storage volumes could use this to create storage volumes for any other tenant. (CVE-2017-7497)

  • A flaw was found in the CloudForms API. A user with permissions to use
    the MiqReportResults capability within the API could potentially view data
    from other tenants or groups to which they should not have access.
    (CVE-2016-7047)

The CVE-2016-4457 and CVE-2016-7047 issues were discovered by Simon Lukasik
(Red Hat) and the CVE-2017-7497 issue was discovered by Gellert Kis (Red
Hat).

OSVersionArchitecturePackageVersionFilename
RedHat7x86_64cfme-gemset< 5.7.3.2-1.el7cfcfme-gemset-5.7.3.2-1.el7cf.x86_64.rpm
RedHat7x86_64rh-ruby23-rubygem-ovirt-engine-sdk4< 4.1.5-1.el7cfrh-ruby23-rubygem-ovirt-engine-sdk4-4.1.5-1.el7cf.x86_64.rpm
RedHat7noarchrh-ruby23-rubygem-ovirt-engine-sdk4-doc< 4.1.5-1.el7cfrh-ruby23-rubygem-ovirt-engine-sdk4-doc-4.1.5-1.el7cf.noarch.rpm
RedHat7x86_64rh-ruby23-rubygem-nokogiri< 1.7.2-1.el7cfrh-ruby23-rubygem-nokogiri-1.7.2-1.el7cf.x86_64.rpm
RedHat7x86_64cfme-appliance-debuginfo< 5.7.3.2-1.el7cfcfme-appliance-debuginfo-5.7.3.2-1.el7cf.x86_64.rpm
RedHat7x86_64cfme-debuginfo< 5.7.3.2-1.el7cfcfme-debuginfo-5.7.3.2-1.el7cf.x86_64.rpm
RedHat7x86_64rh-ruby23-rubygem-nokogiri-doc< 1.7.2-1.el7cfrh-ruby23-rubygem-nokogiri-doc-1.7.2-1.el7cf.x86_64.rpm
RedHat7x86_64rh-ruby23-rubygem-ovirt-engine-sdk4-debuginfo< 4.1.5-1.el7cfrh-ruby23-rubygem-ovirt-engine-sdk4-debuginfo-4.1.5-1.el7cf.x86_64.rpm
RedHat7x86_64cfme< 5.7.3.2-1.el7cfcfme-5.7.3.2-1.el7cf.x86_64.rpm
RedHat7x86_64rh-ruby23-rubygem-nokogiri-debuginfo< 1.7.2-1.el7cfrh-ruby23-rubygem-nokogiri-debuginfo-1.7.2-1.el7cf.x86_64.rpm
Rows per page:
1-10 of 111

Related

redhat 2
cve 3
veracode 3
cvelist 3
redhatcve 3
nvd 3
prion 3
redhat
redhat
(RHSA-2017:1758) Important: Red Hat CloudForms security, bug fix, and enhancement update
2017-08-02 17:05:51
(RHSA-2017:1367) Moderate: CFME 5.8.0 security, bug, and enhancement update
2017-05-31 13:56:07
cve
cve
CVE-2016-4457
2017-06-08 18:29:00
CVE-2016-7047
2018-09-11 13:29:00
CVE-2017-7497
2018-07-27 15:29:00
veracode
veracode
Man-in-the-Middle (MitM)
2019-01-15 09:17:42
Information Disclosure
2019-01-15 09:18:25
Remote Code Execution
2019-05-02 06:28:53
cvelist
cvelist
CVE-2016-4457
2017-06-08 18:00:00
CVE-2016-7047
2018-09-11 13:00:00
CVE-2017-7497
2018-07-27 15:00:00
redhatcve
redhatcve
CVE-2016-4457
2016-05-31 19:18:25
CVE-2016-7047
2019-10-11 04:20:30
CVE-2017-7497
2017-05-11 16:49:30
nvd
nvd
CVE-2016-4457
2017-06-08 18:29:00
CVE-2016-7047
2018-09-11 13:29:00
CVE-2017-7497
2018-07-27 15:29:00
prion
prion
Default credentials
2017-06-08 18:29:00
Design/Logic Flaw
2018-09-11 13:29:00
Spoofing
2018-07-27 15:29:00

0.001 Low

EPSS

Percentile

48.7%

JSON
Related for RHSA-2017:1601
redhat2cve3veracode3cvelist3redhatcve3nvd3prion3