An update for cfme is now available for Red Hat CloudForms 4.1.Red Hat Product Security has rated this update as having a security impactof Important.
A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Red Hat CloudForms Management Engine delivers the insight, control, andautomation needed to address the challenges of managing virtualenvironments.
CloudForms Management Engine is built on Ruby on Rails, amodel-view-controller (MVC) framework for web application development.Action Pack implements the controller and the view components.Security Fix(es):* CloudForms did not properly apply permissions controls toVM IDs passed by users.
A remote, authenticated attacker coulduse this flaw to execute arbitrary VMs on systems managed byCloudForms if they know the ID of the VM. (CVE-2016-7071)This update also fixes several bugs.
Documentation for these changesis available in the Release Notes linked to in the References section.All CFME users are advised to upgrade to these updated packages, whichcorrect these issues and add these enhancements.
Red Hat CloudForms 4.1
MD5: 0f677864650351b8d86eeb67056cf64bSHA-256: d9d8b0a004cf30ad88f049e54855cb4e37741c2bcda15a019d887f9afbf42e38
MD5: 8c3ea5c6b954cee44230cb09bac4df57SHA-256: fafc5c57f013a4cd28c325389146e83562281920abb70486261067ad6da6a2cd
MD5: 12130f58869ef9e7bf8ae277ef182db6SHA-256: b29270c79936ad8b8ce1172cb2aaa046d14679c250c469d63b59691f1d0ddc1a
MD5: 341d21819c10184af623383005c1192dSHA-256: b57cc29a668411f6fb07e553eaeb9542ebd55bfdbc6203114f82c5e2222c4961
MD5: c724615fa7dafdf9ae76119650af503dSHA-256: eb9b31bc605c849e69630e4f4988e9c9521791b1ea5572326330225bca00d263
MD5: 849e9f33cf039ea9722ded3c73fd57ceSHA-256: 1ce89cf1eddf9936e0fd0811f7233470d87469c690476d2cb1643fc7f07ac1a7
(The unlinked packages above are only available from the Red Hat Network)
1385887 – Ordering catalog item is not working after an update to 18.104.22.16885898 – [regression] cannot set default values in service dialogue
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: