RHSA-2015:1862 - Security Advisory

Topic

Updated packages that fix one security issue, several bugs, and add various
enhancements are now available for Red Hat Enterprise Linux OpenStack
Platform 7.0 director for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

Description

Red Hat Enterprise Linux OpenStack Platform director provides the
facilities for deploying and monitoring a private or public
infrastructure-as-a-service (IaaS) cloud based on Red Hat Enterprise Linux
OpenStack Platform.

A flaw was discovered in the pipeline ordering of OpenStack Object
Storage's staticweb middleware in the swiftproxy configuration generated
from the openstack-tripleo-heat-templates package (OpenStack director).
The staticweb middleware was incorrectly configured before the Identity
Service, and under some conditions an attacker could use this flaw to gain
unauthenticated access to private data. (CVE-2015-5271)

This issue was discovered by Christian Schwede and Emilien Macchi of
Red Hat.

This update also fixes numerous bugs and adds various enhancements.
Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux OpenStack Platform 7
Release Notes, linked to in the References section, for information on the
most significant of these changes.

All Red Hat Enterprise Linux OpenStack Platform 7.0 director users are
advised to upgrade to these updated packages, which correct these issues
and add these enhancements.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenStack 7 x86_64

Fixes

• BZ - 1223022 - Ceilometer API port not allowed in firewall rules on undercloud
• BZ - 1226376 - Neutron API port not allowed in firewall rules on undercloud
• BZ - 1228862 - Can `openstack undercloud install` have a --force-clean option so an error doesn't require restarting?
• BZ - 1231777 - Its possible to scale up beyond the number of free nodes
• BZ - 1233949 - overcloud horizon apache config doesn't appear to use a network vip
• BZ - 1235320 - Unhelpful failure when incorrect parameters are given
• BZ - 1235325 - "openstack baremetal configure boot" should skip nodes that have maintenance=true
• BZ - 1236136 - All overcloud keystone endpoints get configured with the public IP when using network isolation
• BZ - 1236663 - No output for upload images command
• BZ - 1236707 - undercloud.conf.sample incorrectly states that heat db encryption key can be 8,16, or 32 chars
• BZ - 1237020 - undercloud GUI- Image field is mandatory when setting VM for deploy overcloud
• BZ - 1240260 - introspection timed out for 2 VM nodes
• BZ - 1241199 - openstack baremetal configure boot is not safe to run a second time
• BZ - 1241668 - 'openstack help overcloud deploy' : doesn't cover comments/explanation for all deployment --arguments
• BZ - 1243015 - Overcloud stack name hard-coded
• BZ - 1243032 - Hard-coded reference to instackenv.json
• BZ - 1243062 - On deployment failure, no reason is returned
• BZ - 1243121 - Neutron port quota fails larger overcloud deployments
• BZ - 1243472 - don't save UpdateIdentifier in tuskar when running package update
• BZ - 1243601 - Overcloud deploys default to qemu instead of kvm
• BZ - 1243829 - overcloud image upload creates duplicate images
• BZ - 1244001 - bulk introspection with active nodes fails
• BZ - 1244026 - [RFE] Overcloud nodes deployed by OSP-Director are using DHCP; can they be statically assigned instead?
• BZ - 1244032 - [RFE] Can OSP-Director deploy an HA overcloud which uses a hardware load balancer?
• BZ - 1244856 - openstack overcloud update stack overcloud requires an undocumented argument
• BZ - 1244864 - VXLAN should be default neutron network type
• BZ - 1245212 - rhel-osp-director: Running "ahc-match" on a setup with enabled SSL yields error: ironicclient.openstack.common.apiclient.exceptions.ConnectionRefused: Error communicating with https://[IP]:13385/ [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL
• BZ - 1245714 - set mem overcommit to 1:1
• BZ - 1246596 - Add support for network validation tests
• BZ - 1247015 - openstack undercloud install doesn't create rabbit user if you set custom passwords in undercloud.conf
• BZ - 1247722 - messages report Introspection for one of the nodes 'has timed out' while the command returns ' Discovery completed.'
• BZ - 1248172 - inspection: clean failed with pxe_ilo
• BZ - 1249640 - Installers need to configure tempest with deployment-specific values and export a partial tempest.conf
• BZ - 1250249 - After deploying, system load charts shown on the overview page are incorrect
• BZ - 1250250 - When deploying from UI we miss to add params based on scale logic
• BZ - 1251566 - Undercloud mariadb max_connection default is too low
• BZ - 1252054 - Default deployment through GUI doesn't create cinder v2 service and endpoint
• BZ - 1252219 - ovs bond on controller is not seeing dhcp packet
• BZ - 1252437 - [Discovery] Gathers wrong information about disks available
• BZ - 1252509 - rhel-osp-director: Fail to "openstack overcloud update stack": "ERROR: openstack unexpected end of regular expression"
• BZ - 1252553 - rhel-osp-director: UI: Limited selection for public interface under service configuration.
• BZ - 1253465 - [RFE] Allow for customization of the Ceph pools name and client username
• BZ - 1253628 - external ceph patches break tuskar based deploys
• BZ - 1253777 - HA overcloud deployment argument for NTP server should not be optional
• BZ - 1254897 - Not configuring neutron mechanism drivers in any puppet based deploys
• BZ - 1255910 - overcloud node delete of one compute node removed all of them
• BZ - 1255931 - rhel-osp-director: rhel-osp-director: unable to delete a heat stack deployed with "--rhel-reg --reg-method portal --reg-org <rel-org> --reg-activation-key '<key>'", following a failed attempt to update it with "openstack overcloud update stack --templates
• BZ - 1256477 - ironic ipmitool intermittently timing out causing API requests to process slowly
• BZ - 1257414 - [HA] critical resource constraints missing from pacemaker config make things go kaboom
• BZ - 1257642 - yum hanged infinitely on nova-compute cleanup when do an update
• BZ - 1259393 - [RFE] Add support to register and deploy nodes with fake_pxe
• BZ - 1259905 - Integrate yum updates of overcloud with Puppet
• BZ - 1260736 - missing module python-ironic-inspector-client
• BZ - 1260991 - Running the same deploy command twice results with :"Deployment failed: Not enough nodes - available: 2, requested: 5"
• BZ - 1261045 - Big Switch ML2 networking plugin configuration
• BZ - 1261048 - controllerExtraConfig support
• BZ - 1261067 - Keystone notifications support
• BZ - 1261697 - CVE-2015-5271 openstack-tripleo-heat-templates: unsafe pipeline ordering of swift staticweb middleware
• BZ - 1261921 - updating overcloud stack packages doesn't stop cluster and will cause it to be down
• BZ - 1262059 - Include the bigswitch networking packages in the image by default
• BZ - 1262454 - os-cloud-config: with fake_pxe pm_type in instackenv.json and thus no pm_addr entry, "openstack baremetal import --json instackenv.json" exits with: ERROR: openstack 'pm_addr'
• BZ - 1262995 - osp-d deployment fails on network validation scripts when network-isolation is not enabled.
• BZ - 1265010 - Heat environment is overwritten on overcloud updates
• BZ - 1265777 - No DNS servers set on the overcloud nodes
• BZ - 1266082 - RHEL unregistration doesn't work when scaling down
• BZ - 1266253 - [Director] increase mariadb max_connection default value
• BZ - 1266327 - yum_update.sh fails due to incomplete --excludes list
• BZ - 1266911 - CLI should not force --neutron-tunnel-types if --neutron-disable-tunneling is specified
• BZ - 1267883 - Unable to control the file_descriptors limit for rabbitmq-server via the director.

CVEs

• CVE-2015-5271

References

• http://www.redhat.com/security/updates/classification/#normal