A vulnerability in CFME and ManageIQ was found allowing users authorized to product feature known as "Control" or "Policies" to run arbitrary code as root. Vulnerable code: https://github.com/ManageIQ/manageiq/blob/fb34cad0c44ae453fa4b81ae1c2c964e67ec1053/app/models/bottleneck_event.rb#L75 The `eval` is being run on a property of MiqEventDefinition table. Usually, this table is filled with stock data on product start-up. The default properties of this table are at https://github.com/ManageIQ/manageiq/blob/fb34cad0c44ae453fa4b81ae1c2c964e67ec1053/db/fixtures/miq_event_definitions.yml#L18 However, attacker can override any of the default stock values and put his code into the MiqEventDefinition table, which is later `eval`ed.
Acknowledgments: Name: Simon Lukasik (Red Hat)
This issue has been addressed in the following products: CloudForms Management Engine 5.6 Via RHSA-2016:2839 https://rhn.redhat.com/errata/RHSA-2016-2839.html