Red Hat Product Errata RHSA-2014:0899 - Security Advisory

Issued:: 2014-07-17
Updated:: 2014-07-17

RHSA-2014:0899 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: openstack-neutron security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

Updated openstack-neutron packages that fix two security issues, several bugs,
and add various enhancements are now available for Red Hat Enterprise Linux
OpenStack Platform 4.0.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE links in the
References section.

Description

The openstack-neutron packages provide Openstack Networking (neutron), the
virtual network service.

OpenStack Networking (neutron) is a pluggable, scalable, and API-driven system
that provisions networking services to virtual machines. Its main function is to
manage connectivity to and from virtual machines.

It was discovered that an authenticated user could add a security group rule
with an invalid CIDR causing the openvswitch-agent process to fail and prevent
further rules from being applied. (CVE-2014-0187)

It was discovered that an authenticated user could add an IPv6 private subnet to
an L3 router causing L3-agent to break in a way that prevents further IPv4
addresses from being attached. Removal of the faulty network can only be done
directly at the database level. Only Neutron setups using IPv6 and L3-agent are
affected by this issue. (CVE-2014-4167)

This update also fixes several bugs and adds enhancements:

Previously, running 'cloud-init' resulted in each instance sending requests to
the metadata agent, which in turn queried Networking server.
Consequently, booting multiple concurrent instances resulted in metadata agent
queries producing heavy load for 'neutron-server'.
This update addresses this issue by implementing a short lifetime cache for the
metadata agent. Metadata agent now only queries Networking when data is not
present in its cache, with the result of decreased load on Networking server
during 'cloud-init' within instances. (BZ#1101494).
With this update, Networking (neutron) packages now update the
'/etc/sudoers.d/neutron' file. Consequently, any local changes have been
relocated to the '/etc/sudoers.d/neutron.rpmsave' file, and will need to be
merged back manually.
To avoid the need for manual updates in future, please apply local changes in a
separate 'sudoers.d' file. (BZ#1115406)
Previously, Networking would fail to reliably communicate with Qpid. This
behavior was due to an incorrect message subject set in the Qpid layer used by
Networking.
This update addresses this issue by setting a correct subject when sending a
Qpid message. As a result, Networking now works reliably with the new Qpid
server. (BZ#1108549)

All openstack-neutron users are advised to upgrade to these updated packages,
which correct these issues and add these enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

Red Hat OpenStack 4.0 x86_64

Fixes

BZ - 1090132 - CVE-2014-0187 openstack-neutron: security groups bypass through invalid CIDR
BZ - 1108549 - RHOSP 4 is incompatible with python-qpid >= 0.18-11
BZ - 1110139 - CVE-2014-4167 openstack-neutron: L3-agent denial of service through IPv6 subnet
BZ - 1115406 - Neutron packaging attempts to update sudoers config file avoiding usual procedure

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 4.0

SRPM
openstack-neutron-2013.2.3-14.el6ost.src.rpm	SHA-256: 5bffb27f30f13b3ef3a8dacaad3a4ddcf45b5faa1aacaee421e14704c06d0c62
x86_64
openstack-neutron-2013.2.3-14.el6ost.noarch.rpm	SHA-256: d0f4eb16546692f72a988ee48d392074ef20c0f4b97fdf649bf097e1cc8676c1
openstack-neutron-bigswitch-2013.2.3-14.el6ost.noarch.rpm	SHA-256: 68d4001dccad91e13a5bc325e863d7f084b7b9be79333ed91b26e62158214b48
openstack-neutron-brocade-2013.2.3-14.el6ost.noarch.rpm	SHA-256: 408ca472689e95041662bcba0d77e4d435ca8fb1050e216a174abc68e23325e5
openstack-neutron-cisco-2013.2.3-14.el6ost.noarch.rpm	SHA-256: bb0f594e49a48351d1d8a4a59624448ba195e2eca0dcf5adb9983486f3b10220
openstack-neutron-hyperv-2013.2.3-14.el6ost.noarch.rpm	SHA-256: ab0b77878cfaf599c50fc1747e33bd03f05440933f3c5aee0b56408771f4b1b8
openstack-neutron-linuxbridge-2013.2.3-14.el6ost.noarch.rpm	SHA-256: cfa79c3ca89d2f730c4cd6c6b149c4793221e77cdba681af7b3d75f334e9a891
openstack-neutron-mellanox-2013.2.3-14.el6ost.noarch.rpm	SHA-256: 4f7a8d7ae058cf4a9784d408dd0e5e3746345206ffa033b418debc8181554bd9
openstack-neutron-metaplugin-2013.2.3-14.el6ost.noarch.rpm	SHA-256: dc3e8c6568823876a88f48861faf68dbfc9abf78bae4dfa23543c07fa4b7aba9
openstack-neutron-metering-agent-2013.2.3-14.el6ost.noarch.rpm	SHA-256: 42f95926540d8f812b1832cbe1fb7759649f62410c731320299de1ee17a2e589
openstack-neutron-midonet-2013.2.3-14.el6ost.noarch.rpm	SHA-256: 1dcfe182351ca756209287b1fd8d862161b9b0c3f1d6321a44914f31813b4aa3
openstack-neutron-ml2-2013.2.3-14.el6ost.noarch.rpm	SHA-256: 9e198e30d79ea13c585ea046a8cd85b026ccea3baa85671c5b869633ef9b19da
openstack-neutron-nec-2013.2.3-14.el6ost.noarch.rpm	SHA-256: 7614bddd200746b47defd46c58418dac75133adddaa518b3da91ecd7544cbfcf
openstack-neutron-nicira-2013.2.3-14.el6ost.noarch.rpm	SHA-256: 31b3f0ca3f148cd4ad66789a5644a15c999039071dbe2f7335b52dcb9d676c47
openstack-neutron-openvswitch-2013.2.3-14.el6ost.noarch.rpm	SHA-256: 61978261b2d605f41a4d6ffc7ad79d515488bef4168ad98b17a39f0bbe669b34
openstack-neutron-plumgrid-2013.2.3-14.el6ost.noarch.rpm	SHA-256: 06fbc27b9b4ceb99c614d6b8b36a1d0fd5e6f00d632e9d95194bbdc6c95a19e7
openstack-neutron-ryu-2013.2.3-14.el6ost.noarch.rpm	SHA-256: c993c681aa18260b221f1101e68a4f003bb2049cfed1826945036360aef614ca
openstack-neutron-vpn-agent-2013.2.3-14.el6ost.noarch.rpm	SHA-256: b37be5eb2c9a85a894e71945515233aab3a45ac73c82cd0f9562c6d3c5d02ed6
python-neutron-2013.2.3-14.el6ost.noarch.rpm	SHA-256: 2fd987ee36cba763a2248c1d404596b512ac00044cf670f12d5b988e94b6292f

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories