Red Hat Security Advisory 2019-0796-01

Hash: SHA256

Red Hat Security Advisory

Synopsis: Important: CloudForms 4.7.3 security, bug fix and enhancement update
Advisory ID: RHSA-2019:0796-01
Product: Red Hat CloudForms
Advisory URL:
Issue date: 2019-04-23
Cross references: RHBA-2019:40153
CVE Names: CVE-2019-5418 CVE-2019-5419
1. Summary:

An update is now available for CloudForms Management Engine 5.10.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.10 – x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* rubygem-actionpack: render file directory traversal in Action View

* rubygem-actionpack: denial of service vulnerability in Action View

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document linked to in the
References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

If the postgresql service is running, it will be automatically restarted
after installing this update. After installing the updated packages, the
httpd daemon will be restarted automatically.

5. Bugs fixed (

1678385 – [v2v][OSP][RHV]Migrating over SSH and VDDK transformation method with names containing spaces such as `rhel 7`, fails to migrate
1680959 – The displayed elapsed time in the service is wrong
1686045 – [RFE] Add ability to Download Wrapper Logs from UI
1686902 – Default worker memory settings in the WebUI are incorrect and do not match the actual configured memory settings
1688937 – proxy timeout loading list of services post update
1689159 – CVE-2019-5418 rubygem-actionpack: render file directory traversal in Action View
1689160 – CVE-2019-5419 rubygem-actionpack: denial of service vulnerability in Action View
1693714 – [RFE] Add support for including optional flavor and security group fields in CSV file for OSP migration plans
1693718 – [RFE] TransformationMapping: API for adding mapping item
1693719 – User and group values of a report are not honored when importing the report
1693720 – role with all Product Features checked, throws RbacPrivilegeException
1693721 – C&U: Missing memory utilization graphs for ec2 availability zones
1693722 – Warn when custom attributes contain spaces in their names – they will not work properly in all of reporting
1693727 – Text attachment generation fails for custom report
1693728 – Unable to schedule an NFS or Samba Database Backup in CloudForms 5.10
1693729 – [RFE]UI changes to “Download Logs” list and “Detect Provider Changes”
1693730 – Clicking on Network -> Topology Produces Error 500 Internal Server Error
1693731 – [v2v][RHV][UI] Infrastructure mapping page is broken
1693740 – [VMware] Publish to template and clone VM operations cannot be performed as UI goes blank
1693741 – [V2V] [RFE] Ability to filter VMs from VMware folders
1693743 – [RFE] Vertical menu fixes and other enhancements for v2v UI
1693745 – [RFE] RHV conversion hosts warning depends on CF tags, should use /api/conversion_hosts instead
1693746 – [RFE] Add new throttling option to the UI for “Maximum concurrent migrations per provider”
1693747 – [RFE]v2v – Enhanced Error Reporting in UI from virt-v2v logs
1693748 – Appliance console shows incorrect region id
1693749 – Cannot access child services from the My Services summary screens
1693757 – [RFE] possibility to hide Red Hat CloudForms Engine text in top left Corner of OPs and SUI
1693817 – Errors when submitting VM action from global region
1694190 – [v2v][OSP] Migration stuck in refresh inventory state when we migrate via SSH transformation method
1694798 – [RFE] Provide detailed info regarding why clusters/datastores/networks are missing
1695626 – Remove the deprecated “Discover Cloud Providers” option from CloudForms UI
1695627 – Retiring an embedded Ansible service always retires the service resources
1695628 – [RFE] Metrics for memory usage of AWS instances needs to be collected from CloudWatch new Agent
1695629 – Deleting a disk from a VM in RHV fails in CFME
1695631 – [RFE] Unable to Utilize Tenancy With Central Admin
1695897 – State machine for Vm Retirement is using the old values
1696362 – Different syntax by Service Request in Master region
1696419 – [v2v] Edit Migration plan shows VM status incorrect
1696421 – [v2v] : Migration shows blank page if provider is removed from CFME
1696422 – [RFE]UI change: Migration Plans screen breadcrumbs
1696456 – v2v job polling interval and timeout values updated
1696841 – CloudForms allow user to submit disk size change when snapshots are attached
1698586 – Dynamic Dialogs no longer function

6. Package List:

CloudForms Management Engine 5.10:



These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:

8. Contact:

The Red Hat security contact is <>. More contact
details at

Copyright 2019 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list