Synopsis

Moderate: openstack-nova security and bug fix advisory

Type/Severity

Security Advisory: Moderate

Topic

Updated OpenStack Compute packages that resolve various issues are now
available for Red Hat Enterprise Linux OpenStack Platform 7.0 for
RHEL 7.

Description

OpenStack Compute (nova) launches and schedules large networks of virtual
machines, creating a redundant and scalable cloud computing platform.
Compute provides the software, control panels, and APIs required to
orchestrate a cloud, including running virtual machine instances and
controlling access through users and projects.

A vulnerability was discovered in the way OpenStack Compute (nova)
networking handled security group updates; changes were not applied to
already running VM instances. A remote attacker could use this flaw to
access running VM instances. (CVE-2015-7713)

Additional updates include:

• The openstack-nova packages have been upgraded to upstream version
  2015.1.2. See https://launchpad.net/nova/kilo/2015.1.2 for a complete list
  of bug fixes and enhancements. (BZ#1274875)
  
• When using huge pages, the back-end memory for a guest was configured as
  private. This disallowed an external process connected to a vhostuser VIF
  type to access the QEMU guest's memory, which is required by the QEMU
  network driver functionality. The memory mappings are now marked as
  shared, and the external process to provide QEMU network is able to access
  the guest's memory. (BZ#1215790)
  
• The termination of a WSGI application or an RPC server immediately
  stopped the service and interrupted requests that were in progress. This
  update adds a graceful handler for the SIGTERM signal sent to the parent
  WSGI process, so the termination is performed gracefully, which allows
  ongoing processes to continue. (BZ#1250269)
  
• Previously, novaclient records requested time even when timing was set
  to False. As a consequence, system memory kept increasing. With this
  update, when timing is set to True, the time of each request is recorded
  and the timings are reset to clear the memory, which no longer
  increases. (BZ#1260868)
  
• An earlier update changed the return value when no host devices were
  found when connecting to an iSCSI or iSER volume. Consequently, when no
  host devices were found, an exception was thrown and the connect volume
  attempt failed. This update adds an additional check to ensure
  os.path.exists(None) is never called. As a result, an exception is no
  longer thrown and the connect logic correctly retries finding present
  host devices. (BZ#1268051)
  
• Compute's rootwrap filters restricted an `ln` command used by the volume
  encryption providers to a specific iSCSI related target path. Consequently,
  iSER, NFS, and FC volumes encountered failures because the `ln` command was
  rejected by Compute's rootwrap filters. This update makes Nova's rootwrap
  filters more generic when calling `ln` allowing the volume encryption
  providers to succeed. (BZ#1273466)
  
• FCoE devices have different sysfs paths to standard FC devices.
  Consequently, Nova failed when attempting to attach an FCoE based volume
  to an instance as it assumed these paths were the same. This update ensures
  that the required PCI information is parsed from both FC and FCoE sysfs
  device paths. As a result, Nova now succeeds in attaching FCoE based
  volumes to instances. (BZ#1274054)
  
• Nova failed to parse the output from the `multipath -l ${device}` command
  when errors were present. Consequently, the attaching and detaching of
  volumes could fail. This update corrects the find_multipath_device method
  to ensure that any errors present in the output from the aforementioned
  command are ignored. As a result, both the attaching and detaching of
  volumes will now succeed even if errors occur. (BZ#1275937)
  
• Volumes were not correctly detached if an error was encountered during
  the attach process, and could be left attached to an instance, resulting
  in data loss. This update ensures that the volume is both detached
  and the connection to the volume closed in the event of a failure during
  the attach process. (BZ#1276011)
  
• The ability of the libvirt driver to set the admin password has been
  added. To use this feature, run the following command:
  nova root-password [server]
  (BZ#1261100)

Solution

Before applying this update, ensure all previously released errata relevant
to your system have been applied.

Red Hat Enterprise Linux OpenStack Platform 7 runs on Red Hat Enterprise
Linux 7.2.

The Red Hat Enterprise Linux OpenStack Platform 7 Release Notes contain the
following:

• An explanation of the way in which the provided components interact to
  form a working cloud computing environment.
  
• Technology Previews, Recommended Practices, and Known Issues.
  
• The channels required for Red Hat Enterprise Linux OpenStack Platform 7,
  including which channels need to be enabled and disabled.
  

The Release Notes are available at:
https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/release-notes/

This update is available through 'yum update' on systems registered through
Red Hat Subscription Manager. For more information about Red Hat
Subscription Manager, see:

https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/index.html

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat OpenStack 7 x86_64

Fixes

• BZ - 1249751 - centralized logging - fluentd is blocked from accessing Nova compute logs
• BZ - 1261100 - nova: Make set_admin_password work with the libvirt driver (via QEMU guest agent)
• BZ - 1268051 - volume attach failed with iser
• BZ - 1269119 - CVE-2015-7713 openstack-nova: network security group changes are not applied to running instances
• BZ - 1273466 - Nova volume encryptors attach volume fails for NFS and FC (rootwrap)
• BZ - 1274054 - When using a FCoE adapter instead of a FC adapter, volumes will fail to attach to the VM
• BZ - 1274875 - Rebase openstack-nova to 2015.1.2
• BZ - 1275937 - nova searches for wrong device unexpectedly when multipath device has faulty lun

CVEs

• CVE-2015-7713

References

• http://www.redhat.com/security/updates/classification/#normal

Red Hat Enterprise Linux Server 7

SRPM
python-novaclient-2.23.0-2.el7ost.src.rpm	SHA-256: 0325167f949b7bc61110a7bb2c4fa07de8c1a58df147dbd150648b2dfbe9a17e
x86_64
python-novaclient-2.23.0-2.el7ost.noarch.rpm	SHA-256: 1c2e4cadb67a09da0c7f44bfac262e6077ca95edd7c08d6807f40444a1572215
python-novaclient-doc-2.23.0-2.el7ost.noarch.rpm	SHA-256: ab1821f408c08d34e2729f1df5c62ee8d30929cdb9127552b5965c846660b130

Red Hat Enterprise Linux Workstation 7

SRPM
python-novaclient-2.23.0-2.el7ost.src.rpm	SHA-256: 0325167f949b7bc61110a7bb2c4fa07de8c1a58df147dbd150648b2dfbe9a17e
x86_64
python-novaclient-2.23.0-2.el7ost.noarch.rpm	SHA-256: 1c2e4cadb67a09da0c7f44bfac262e6077ca95edd7c08d6807f40444a1572215
python-novaclient-doc-2.23.0-2.el7ost.noarch.rpm	SHA-256: ab1821f408c08d34e2729f1df5c62ee8d30929cdb9127552b5965c846660b130

Red Hat Enterprise Linux Desktop 7

SRPM
python-novaclient-2.23.0-2.el7ost.src.rpm	SHA-256: 0325167f949b7bc61110a7bb2c4fa07de8c1a58df147dbd150648b2dfbe9a17e
x86_64
python-novaclient-2.23.0-2.el7ost.noarch.rpm	SHA-256: 1c2e4cadb67a09da0c7f44bfac262e6077ca95edd7c08d6807f40444a1572215
python-novaclient-doc-2.23.0-2.el7ost.noarch.rpm	SHA-256: ab1821f408c08d34e2729f1df5c62ee8d30929cdb9127552b5965c846660b130

Red Hat OpenStack 7

SRPM
openstack-nova-2015.1.2-7.el7ost.src.rpm	SHA-256: 340c74086714ebf22ea93fd6beac884b9d07987c0ab9f7be2c4cd4a33fadaed9
python-novaclient-2.23.0-2.el7ost.src.rpm	SHA-256: 0325167f949b7bc61110a7bb2c4fa07de8c1a58df147dbd150648b2dfbe9a17e
x86_64
openstack-nova-2015.1.2-7.el7ost.noarch.rpm	SHA-256: 0be5e8128acef33f7c121a580393e8ef41665f68957b366e882f98302cb89be8
openstack-nova-api-2015.1.2-7.el7ost.noarch.rpm	SHA-256: e644043355ed084cd6f527272f1e5b3e72ad3670be3fe1d6ed8862156a38e5b8
openstack-nova-cells-2015.1.2-7.el7ost.noarch.rpm	SHA-256: 09441ecad39113fd30e2e5721a0752cf0ea693957f21aadb21a05cb5e8ee6b1f
openstack-nova-cert-2015.1.2-7.el7ost.noarch.rpm	SHA-256: cc4a5b4993b6d8ce16da23921feb2cc76fff76ada982948c2e8f8da67ebddf48
openstack-nova-common-2015.1.2-7.el7ost.noarch.rpm	SHA-256: 997b9cba5be97f626f9d6a6230b5deee083a6d60c688586b6f6bcf73c3ca86d1
openstack-nova-compute-2015.1.2-7.el7ost.noarch.rpm	SHA-256: 9eb5feeaecf6066991e9f7c7d5c7ab66e51ff7d9796a83854e36a043a0541c9f
openstack-nova-conductor-2015.1.2-7.el7ost.noarch.rpm	SHA-256: ad3f1b1ceb719c7e348a913fac77694605a73303d4e865b8272c2f4377d05d71
openstack-nova-console-2015.1.2-7.el7ost.noarch.rpm	SHA-256: 075b8ac1a0d312f3cc2d34ed772d797d4adf65f143199772ada4a903f6dc0720
openstack-nova-doc-2015.1.2-7.el7ost.noarch.rpm	SHA-256: 316bfe2bd09505f63fb8bc5e9e06fc299592e2a17cdea9a6921265fe47af2128
openstack-nova-network-2015.1.2-7.el7ost.noarch.rpm	SHA-256: ef6950b87750cd41b264a3fae63c07db382295d0ef87efc2e577b027f20e995c
openstack-nova-novncproxy-2015.1.2-7.el7ost.noarch.rpm	SHA-256: c70a928becc4dfa91b180901b6f6f9bdf28fd8d21667d4623778fcfcf0d60f3d
openstack-nova-objectstore-2015.1.2-7.el7ost.noarch.rpm	SHA-256: 2ca006e84c90097753239854362564791544c37d8841b5d04f4d792366fab125
openstack-nova-scheduler-2015.1.2-7.el7ost.noarch.rpm	SHA-256: 5a5a2781526b20a73c876501e459c107806e8ea7f13f9732c9e574018ec9a012
openstack-nova-serialproxy-2015.1.2-7.el7ost.noarch.rpm	SHA-256: 7e5fec524187f919c85dbf5c317a594c060b91dc0f17d44bdc87e0e9dd19ec73
openstack-nova-spicehtml5proxy-2015.1.2-7.el7ost.noarch.rpm	SHA-256: a7b20f7a6bad3b5df5b5b4dd9853683a3b07bcc0570366e22271d40099ebf65c
python-nova-2015.1.2-7.el7ost.noarch.rpm	SHA-256: 2cbbb1cfc9d29c4e92295d519de26ca27d258f2e817d50a5658f9deb82252e5a
python-novaclient-2.23.0-2.el7ost.noarch.rpm	SHA-256: 1c2e4cadb67a09da0c7f44bfac262e6077ca95edd7c08d6807f40444a1572215
python-novaclient-doc-2.23.0-2.el7ost.noarch.rpm	SHA-256: ab1821f408c08d34e2729f1df5c62ee8d30929cdb9127552b5965c846660b130