Updated CloudForms Commons packages that fix several security issues are now available. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Red Hat CloudForms is an on-premise hybrid cloud Infrastructure-as-a-Service (IaaS) product that lets you create and manage private and public clouds. Multiple input validation vulnerabilities were discovered in rubygem-activerecored. A remote attacker could possibly use these flaws to perform an SQL injection attack against an application using rubygem-activerecord. (CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695) Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using rubygem-actionpack. (CVE-2012-3463, CVE-2012-3464, CVE-2012-3465) A flaw was found in the HTTP digest authentication implementation in rubygem-actionpack. A remote attacker could use this flaw to cause a denial of service of an application using rubygem-actionpack and digest authentication. (CVE-2012-3424) An input validation flaw was found in rubygem-mail's Exim and Sendmail delivery methods. A remote attacker could use this flaw to execute arbitrary commands with the privileges of an application using rubygem-mail. (CVE-2012-2140) A directory traversal flaw was found in rubygem-mail's file delivery method. A remote attacker could use this flaw to send a mail with a specially crafted To: header and write to files with the privileges of an application using rubygem-mail. (CVE-2012-2139) Puppet was updated to version 2.6.17, which fixes multiple security issues. These issues are not exposed by CloudForms. (CVE-2012-1986, CVE-2012-1987, CVE-2012-1988, CVE-2012-3864, CVE-2012-3865, CVE-2012-3867) Red Hat would like to thank Puppet Labs for reporting CVE-2012-1988, CVE-2012-1986, CVE-2012-1987, CVE-2012-3864, CVE-2012-3865, and CVE-2012-3867. Users are advised to upgrade to these CloudForms Commons packages, which resolve these issues.