Detections
Analytics

RHEL 7 : CloudForms 4.6.4 (RHSA-2018:2561)

high Nessus Plugin ID 233185

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2561 advisory.

 Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

 Security Fix(es):

 * cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root (CVE-2018-10905)

 * rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)

 For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

 Red Hat would like to thank Stephen Gappinger (American Express) for reporting CVE-2018-10905.

 Additional Changes:

 This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://access.redhat.com/security/updates/classification/#important

https://bugzilla.redhat.com/show_bug.cgi?id=1565259

https://bugzilla.redhat.com/show_bug.cgi?id=1588527

https://bugzilla.redhat.com/show_bug.cgi?id=1591494

https://bugzilla.redhat.com/show_bug.cgi?id=1591495

https://bugzilla.redhat.com/show_bug.cgi?id=1591496

https://bugzilla.redhat.com/show_bug.cgi?id=1591497

https://bugzilla.redhat.com/show_bug.cgi?id=1593058

https://bugzilla.redhat.com/show_bug.cgi?id=1595416

https://bugzilla.redhat.com/show_bug.cgi?id=1595445

https://bugzilla.redhat.com/show_bug.cgi?id=1595447

https://bugzilla.redhat.com/show_bug.cgi?id=1595448

https://bugzilla.redhat.com/show_bug.cgi?id=1595450

https://bugzilla.redhat.com/show_bug.cgi?id=1595451

https://bugzilla.redhat.com/show_bug.cgi?id=1595454

https://bugzilla.redhat.com/show_bug.cgi?id=1595456

https://bugzilla.redhat.com/show_bug.cgi?id=1595461

https://bugzilla.redhat.com/show_bug.cgi?id=1595776

https://bugzilla.redhat.com/show_bug.cgi?id=1598528

https://bugzilla.redhat.com/show_bug.cgi?id=1598532

https://bugzilla.redhat.com/show_bug.cgi?id=1598873

https://bugzilla.redhat.com/show_bug.cgi?id=1599350

https://bugzilla.redhat.com/show_bug.cgi?id=1599353

https://bugzilla.redhat.com/show_bug.cgi?id=1600191

https://bugzilla.redhat.com/show_bug.cgi?id=1600670

https://bugzilla.redhat.com/show_bug.cgi?id=1600738

https://bugzilla.redhat.com/show_bug.cgi?id=1601587

https://bugzilla.redhat.com/show_bug.cgi?id=1601589

https://bugzilla.redhat.com/show_bug.cgi?id=1602190

https://bugzilla.redhat.com/show_bug.cgi?id=1603022

https://bugzilla.redhat.com/show_bug.cgi?id=1603029

https://bugzilla.redhat.com/show_bug.cgi?id=1603031

https://bugzilla.redhat.com/show_bug.cgi?id=1603058

https://bugzilla.redhat.com/show_bug.cgi?id=1603210

https://bugzilla.redhat.com/show_bug.cgi?id=1607441

https://bugzilla.redhat.com/show_bug.cgi?id=1608844

https://bugzilla.redhat.com/show_bug.cgi?id=1610055

https://bugzilla.redhat.com/show_bug.cgi?id=1610425

https://bugzilla.redhat.com/show_bug.cgi?id=1610685

https://bugzilla.redhat.com/show_bug.cgi?id=1611002

https://bugzilla.redhat.com/show_bug.cgi?id=1611660

https://bugzilla.redhat.com/show_bug.cgi?id=1612062

https://bugzilla.redhat.com/show_bug.cgi?id=1612856

https://bugzilla.redhat.com/show_bug.cgi?id=1612889

https://bugzilla.redhat.com/show_bug.cgi?id=1613295

https://bugzilla.redhat.com/show_bug.cgi?id=1613387

https://bugzilla.redhat.com/show_bug.cgi?id=1613757

https://bugzilla.redhat.com/show_bug.cgi?id=1615633

https://bugzilla.redhat.com/show_bug.cgi?id=1618219

http://www.nessus.org/u?e1323b9a

https://access.redhat.com/errata/RHSA-2018:2561

Plugin Details

Severity: High

ID: 233185

File Name: redhat-RHSA-2018-2561.nasl

Version: 1.1

Type: local

Agent: unix

Published: 3/21/2025

Updated: 3/21/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

Vendor

Vendor Severity: Important

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2018-10905

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:cfme-amazon-smartstate, p-cpe:/a:redhat:enterprise_linux:rh-ruby23-rubygem-redhat_access_cfme, p-cpe:/a:redhat:enterprise_linux:cfme-appliance-common, cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:rh-ruby23-rubygem-redhat_access_cfme-doc, p-cpe:/a:redhat:enterprise_linux:cfme-appliance, p-cpe:/a:redhat:enterprise_linux:rh-postgresql95-postgresql-pglogical, p-cpe:/a:redhat:enterprise_linux:cfme-gemset, p-cpe:/a:redhat:enterprise_linux:cfme, p-cpe:/a:redhat:enterprise_linux:cfme-appliance-tools

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 9/4/2018

Vulnerability Publication Date: 6/19/2018

Reference Information

CVE: CVE-2018-10905, CVE-2018-3760

CWE: 22, 284

RHSA: 2018:2561