Security Advisory Moderate: CloudForms Cloud Engine 1.1.2 update

Advisory: RHSA-2013:0545-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-02-21
Last updated on: 2013-02-21
Affected Products: Red Hat CloudForms
CVEs ( CVE-2012-5509


CloudForms Cloud Engine 1.1.2 is now available.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds. It provides self-service computing resources to
users in a managed, governed, and secure way. CloudForms Cloud Engine is a
management application for cloud resources.

It was found that the Aeolus Configuration Server stored passwords in plain
text in the world-readable "/var/log/aeolus-configserver/configserver.log"
file. A local attacker could use this flaw to obtain the administrative
passwords for other services (such as Katello, databases, and so on).

It was found that Conductor, the web-based management console, allowed
unprivileged users to modify their quota for the number of instances they
are allowed to run. An unprivileged user could use this flaw to monopolize
resources and run more instances than intended. (CVE-2012-6118)

It was found that the aeolus-configserver-setup script created a
world-readable file containing authentication details in plain text in the
"/tmp/" directory. A local attacker could use this flaw to obtain Audrey
credentials, allowing them to make configuration changes to Audrey-enabled
instances. (CVE-2012-5509)

The CVE-2012-6117 issue was discovered by James Laska of Red Hat;
CVE-2012-6118 was discovered by Tomas Sedovic of Red Hat; and CVE-2012-5509
was discovered by Aaron Weitekamp of the Red Hat Cloud Quality Engineering

This update also fixes the following bug:

* A bug in the initial filter view for instances caused stopped instances
to display for the default "Non stopped applications" option until
auto-refresh. This bug fix corrects the form rendering for the filter view.
The filter view now displays only non-stopped instances. (BZ#895569)

Additionally, this update adds the following enhancements:

* Red Hat Enterprise Linux 5.9 support to guest image building in
CloudForms Cloud Engine. (BZ#903646)

* Support for Red Hat Enterprise Linux 5.9 Amazon Machine Images (AMI) on
Amazon Web Services (AWS) Elastic Compute Cloud (EC2) providers for
CloudForms Cloud Engine. (BZ#903651)

* Red Hat Enterprise Linux 6.4 support to guest image building in
CloudForms Cloud Engine. (BZ#903395)

* Support for Red Hat Enterprise Linux 6.4 Amazon Machine Images (AMI) on
Amazon Web Services (AWS) Elastic Compute Cloud (EC2) providers for
CloudForms Cloud Engine. (BZ#903650)

Refer to the CloudForms 1.1.2 Release Notes for further information about
this release. The Release Notes will be available shortly from

To upgrade, follow the upgrade instructions in the CloudForms Installation

Users of CloudForms Cloud Engine are advised to upgrade to these updated


Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

Updated packages

Red Hat CloudForms

aeolus-conductor-0.13.26-1.el6cf.src.rpm     MD5: 7766eb8849a0a04c06b49b511e47be95
SHA-256: 15347136f48595d9c16c79ebc78f29e84cf3beb7a6e93f511036f49e66972df0
aeolus-configserver-0.4.12-3.el6cf.src.rpm     MD5: 430aaabbd8895194d9de91f2ea322c1a
SHA-256: fe8c7249c1462b03556a15f7d0ca75c7f2962a19e10fccd713ee20f5a860f952
imagefactory-1.0.3-1.el6cf.src.rpm     MD5: 2aa99f7e1d5aa40af7b616d6a5c59b5c
SHA-256: 4922e6aabc71bf52765d92bf87c705c4bb94478d42b20f791b31a04dcd8090f1
oz-0.8.0-8.el6cf.src.rpm     MD5: ed41b311a7bf19ca19e1ac66e4bdf760
SHA-256: ee7182a93c6de73cac0fd0a725c03cdb7e32ee21e5b8addd687b25a1e4e81b0a
aeolus-all-0.13.26-1.el6cf.noarch.rpm     MD5: 05f65032ad04741baafccee170fe8142
SHA-256: fc04f019da270be40deb48221399a1038b58f1391ad1f0e7dfbf877a1621a9bf
aeolus-conductor-0.13.26-1.el6cf.noarch.rpm     MD5: 0d8501f21a1baa88cf46b4ac85ce8351
SHA-256: 1e2bcc87b097aa7e315cd64e96ffef4d68bfd603d517acb77b78f7314782f2fb
aeolus-conductor-daemons-0.13.26-1.el6cf.noarch.rpm     MD5: 55594532de873419465cd7d073a8bbb7
SHA-256: afceb1439e3efd469b3a58f7031d3630a198b918a6085ff4be659baff2045604
aeolus-conductor-devel-0.13.26-1.el6cf.noarch.rpm     MD5: feb147f80078f4b0a0e5afd9e4ebcbb0
SHA-256: e6c7d6337eb1b520bac348bc8df760467d20d1e66d260c3aa415a213b5f735e6
aeolus-conductor-doc-0.13.26-1.el6cf.noarch.rpm     MD5: 619c46281e6abd7958d1add89d979c80
SHA-256: ac7586f63d102e5e394a0a709adcff1b49e2bfaf68c657a412953fa98f239555
aeolus-configserver-0.4.12-3.el6cf.noarch.rpm     MD5: c091fac5a794dd6cca05f590983afa25
SHA-256: c384fe839715d911b5f2d19fce75efe6d16432b5f4678c008016078fbbe4909b
imagefactory-1.0.3-1.el6cf.noarch.rpm     MD5: 17c3f8b3367f019c2fef5536c13008db
SHA-256: 0437c421a91323d4693ddc4e0b6fc01f3d07a8f97414f8915847a630db64b050
imagefactory-jeosconf-ec2-fedora-1.0.3-1.el6cf.noarch.rpm     MD5: 497a254cc5452cce16cd4230ba1da809
SHA-256: 678f189304514f5c1cec72903e6eaa168725cd31bb90956a4d13b64775203039
imagefactory-jeosconf-ec2-rhel-1.0.3-1.el6cf.noarch.rpm     MD5: bfbd0371839ddcc1d86dd1a01d82ac80
SHA-256: 40e83aa729fc287c8b2f47be91df66e693b8d4080f0dd96bd73dcf395a782f5b
oz-0.8.0-8.el6cf.noarch.rpm     MD5: b4715241c4a7fcd597bce809a221d0c2
SHA-256: d3704c11aa699e91411eefbd5a362023f21b1cfdcd3ae8f27f9e88188122d414
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

875294 - CVE-2012-5509 aeolus-configserver: aeolus-configserver-setup /tmp file conductor credentials leak
895569 - Default Filter view option "Non stopped applications" lists stopped instance, and removes them after auto refresh
903395 - Add support for RHEL-6.4 to Oz
903646 - Add support for RHEL-5.9 to Oz
903650 - Update jeos AMI's for RHEL-6.4
903651 - Update jeos AMI's for RHEL-5.9
906192 - CVE-2012-6118 Aeolus Conductor: Unprivileged user can change their own Maximum Running Instances quota
906201 - CVE-2012-6117 Aeolus Configserver: Passwords from application blueprint stored plaintext in configserver.log
912395 - image customization fails using root user, must use ec2-user


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at