Issued:: 2016-12-07
Updated:: 2016-12-07

RHSA-2016:2923 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: openstack-cinder and openstack-glance security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated openstack-cinder and openstack-glance packages that fix one security issue are now available for Red Hat OpenStack Platform 9.0 (Mitaka).

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenStack Block Storage (cinder) manages block storage mounting and the presentation of such mounted block storage to instances. The backend physical storage can consist of local disks, or Fiber Channel, iSCSI, and NFS mounts attached to Compute nodes. In addition, Block Storage supports volume backups, and snapshots for temporary save and restore operations. Programatic management is available via Block Storage's API.

OpenStack Image service (glance) provides discovery, registration, and delivery services for disk and server images. It provides the ability to copy or snapshot a server image, and immediately store it away. Stored images can be used as a template to get new servers up and running quickly and more consistently than installing a server operating system and individually configuring additional services.

Security Fix(es):

A resource vulnerability in the Block Storage (cinder) and Image (glance) services was found in their use of qemu-img. An unprivileged user could consume as much as 4 GB of RAM on the compute host by uploading a malicious image. This flaw could lead possibly to host out-of-memory errors and negatively affect other running tenant instances. (CVE-2015-5162)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 9 x86_64

Fixes

BZ - 1268303 - CVE-2015-5162 openstack-nova/glance/cinder: Malicious image may exhaust resources
BZ - 1380842 - Creating Encrypted Volumes with Cinder(Ceph backend) gives false positive
BZ - 1381283 - cinder-api lost SSL in oslo.service wsgi move for Mitaka
BZ - 1381350 - qemu-img calls need to be restricted by ulimit
BZ - 1386253 - NetApp Cinder driver: cloning operations are unsuccessful

CVEs

CVE-2015-5162

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 9

SRPM
openstack-cinder-8.1.1-4.el7ost.src.rpm	SHA-256: 5e8240753576510947b7b32845dff842dc972da7de3cf9e9f5014adaf85411b3
openstack-glance-12.0.0-2.el7ost.src.rpm	SHA-256: 0ea62e96f9bef4c4084be82de7c48353a0f0339b8389f8e7eec58b6362a071ed
x86_64
openstack-cinder-8.1.1-4.el7ost.noarch.rpm	SHA-256: 5c68a5b6b9973f9c78aae0481f0d9f5bddc7ec50b5bbea4749abc4a57ece29d7
openstack-glance-12.0.0-2.el7ost.noarch.rpm	SHA-256: 94e80edeee317e2e13657439dc44c4a3fb0ffe328ad12e3d44386592da0ffabf
python-cinder-8.1.1-4.el7ost.noarch.rpm	SHA-256: c1fdc956818dae43157d327d4a52c9887b6b4d72db61fa89928083fd129c2aa8
python-cinder-tests-8.1.1-4.el7ost.noarch.rpm	SHA-256: ddde2cb588c8b751f2ea0093572ff5d5d3aabfd6e0d9aa072367790bd16259dc
python-glance-12.0.0-2.el7ost.noarch.rpm	SHA-256: 2941942da54dee987ce597b7e6cdbf110238e36c2541e8641a68eae06c5761af
python-glance-tests-12.0.0-2.el7ost.noarch.rpm	SHA-256: 962dfc0c4331725fe2e7f46bfeb033a01d17cc3c4933c7845d6dfb28f409d49e

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation