Issued:: 2016-12-21
Updated:: 2016-12-21

RHSA-2016:2991 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: openstack-cinder, openstack-glance, and openstack-nova update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for openstack-nova, openstack-cinder, and openstack-glance is now available for Red Hat OpenStack Platform 8.0 (Liberty).

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenStack Compute (nova) launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform. Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances and controlling access through users and projects.

OpenStack Block Storage (cinder) manages block storage mounting and the presentation of such mounted block storage to instances. The backend physical storage can consist of local disks, or Fiber Channel, iSCSI, and NFS mounts attached to Compute nodes. In addition, Block Storage supports volume backups, and snapshots for temporary save and restore operations. Programatic management is available via Block Storage's API.

OpenStack Image Service (glance) provides discovery, registration, and delivery services for disk and server images. The service provides the ability to copy or snapshot a server image, and immediately store it away. Stored images can be used as a template to get new servers up and running quickly and more consistently than installing a server operating system and individually configuring additional services.

The following packages have been upgraded to a newer upstream version: openstack-nova (12.0.5), openstack-cinder (7.0.3), openstack-glance (11.0.1). (BZ#1381466, BZ#1396263)

Security Fix(es):

A resource vulnerability in the OpenStack Compute (nova), Block Storage (cinder), and Image (glance) services was found in their use of qemu-img. An unprivileged user could consume as much as 4 GB of RAM on the compute host by uploading a malicious image. This flaw could lead possibly to host out-of-memory errors and negatively affect other running tenant instances. (CVE-2015-5162)

This issue was discovered by Richard W.M. Jones (Red Hat).

Bug Fix(es):

There is a known issue with Unicode string handling in the OSProfiler library. Consequently, the creation of a Block Storage (cinder) snapshot will fail if it uses non-ASCII characters. With this update, the OSProfiler library is not loaded unless it is specifically enabled in the cinder configuration. As a result, the Unicode handling issue in OSProfiler is still present, and will result in the same failure if OSProfiler is used, however it will be unlikely to occur in most cinder configurations. A more in-depth resolution for this issue is not currently in scope. (BZ#1383899)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 8 x86_64

Fixes

BZ - 1268303 - CVE-2015-5162 openstack-nova/glance/cinder: Malicious image may exhaust resources
BZ - 1357461 - Incorrect host cpu is given to emulator threads when cpu_realtime_mask flag is set.
BZ - 1379385 - Floating IP shows as associated in Nova after deletion[rhos-8.0]
BZ - 1381466 - rebase to 12.0.5
BZ - 1381534 - Multi-Ephemeral instance Live Block Migration fails silently
BZ - 1381965 - [Backport] Block based migration doesn't work for instances that have a volume attached
BZ - 1383899 - Can not create cinder snapshot if the description contains non-ascii code
BZ - 1385486 - [8.0.z] After upgrading from RHOSP 6 to RHOSP 8 existing instances fail to start.
BZ - 1386263 - NetApp Cinder driver: cloning operations are unsuccessful
BZ - 1387467 - glance image-create owner option not working
BZ - 1387617 - Can't do image-create for suspended instance booted from volume [RHOS-8]
BZ - 1390109 - [tempest] test_delete_attached_volume fails in RHOS8
BZ - 1396263 - Rebase to 7.0.3

CVEs

CVE-2015-5162

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 8

SRPM
openstack-cinder-7.0.3-1.el7ost.src.rpm	SHA-256: 31ee7d2ba815b247bf3c980826f0325662dc1c1837572d0c297a551fde9eab87
openstack-glance-11.0.1-6.el7ost.src.rpm	SHA-256: eb804a8583ee21975430fa51d28781a332bc29a6ffec312b17913c024ccefddd
openstack-nova-12.0.5-9.el7ost.src.rpm	SHA-256: 4415be61ffdcec90c8e9828a3134230ed44195370c05e7651faa3cd97bbb5e31
x86_64
openstack-cinder-7.0.3-1.el7ost.noarch.rpm	SHA-256: 02c357f6a081271fa7d4f75b0948933aefba63f1579388d82d166144811a320a
openstack-glance-11.0.1-6.el7ost.noarch.rpm	SHA-256: 9aa75fa2abb99545156c7d5f1666a5f125042ef25aeaf452d659ab7782eefc76
openstack-nova-12.0.5-9.el7ost.noarch.rpm	SHA-256: 91d87d9875afb9fd7878ad293ba1614ad0701a44fa47739b7f855b33f3d9b250
openstack-nova-api-12.0.5-9.el7ost.noarch.rpm	SHA-256: ff7585a096d7ee96e8341027be2e04512c04e38aecd3610093029a3b5c75468a
openstack-nova-cells-12.0.5-9.el7ost.noarch.rpm	SHA-256: 050211ed9e24915ae00bd89b52952f28661319a920245c56732827632f8ec1cd
openstack-nova-cert-12.0.5-9.el7ost.noarch.rpm	SHA-256: 7f96fa688938fe491b2bda034e7f788f7ac25eb2ba0bd0ff63f8de55ab8145f8
openstack-nova-common-12.0.5-9.el7ost.noarch.rpm	SHA-256: e62224cc881df5f22cb9aa6cf7e8c84af906c2963e7d84b381e1b1c11f9555ea
openstack-nova-compute-12.0.5-9.el7ost.noarch.rpm	SHA-256: bcea50c709c09d06dbd7bf77213ac5bdb4be8b992817f6251bea29a40957c4d8
openstack-nova-conductor-12.0.5-9.el7ost.noarch.rpm	SHA-256: 02694e4089d7ca5b6c8858c8f70c043001f5b1c08d8f26632bc23ccc638df0b9
openstack-nova-console-12.0.5-9.el7ost.noarch.rpm	SHA-256: b4358784ede0b0248c9904ea3557a9c56b414b1ba08373ce083eddce58dc7fbb
openstack-nova-network-12.0.5-9.el7ost.noarch.rpm	SHA-256: 51ef9b6d909591acb4a900477588d9a9c6e97a8e678dd87c02b04ead6983636d
openstack-nova-novncproxy-12.0.5-9.el7ost.noarch.rpm	SHA-256: 9ef217f1ad72fe37e3e5539682daca7c02402219547381af7080b90be236cf13
openstack-nova-objectstore-12.0.5-9.el7ost.noarch.rpm	SHA-256: 041d0112569821e05a7f43e1253fc013da7f5993e3b2112c7f68c28242a919da
openstack-nova-scheduler-12.0.5-9.el7ost.noarch.rpm	SHA-256: 38960f6289ce2250e1fe3b617ae8605ec3782fc25f2934e98b40ddb9a8f31008
openstack-nova-serialproxy-12.0.5-9.el7ost.noarch.rpm	SHA-256: db9f8b03d8adfa4d0d15c2a702e0a7b6a9efbfc73e4e3ab160506d3e6cb3e549
openstack-nova-spicehtml5proxy-12.0.5-9.el7ost.noarch.rpm	SHA-256: 15aae50c83fc1715f9e1a2919dc8c3ee1eab5006a99bd8d638579d3abe49a297
python-cinder-7.0.3-1.el7ost.noarch.rpm	SHA-256: fe1ad7157fd300e2e1051ae7faacf7ee37c3920bc046b44e41124da73a5d162a
python-glance-11.0.1-6.el7ost.noarch.rpm	SHA-256: d69a8659f5c0b88bf8dbd7a22f0b86ba065015be1f7c77b846add2211974681a
python-nova-12.0.5-9.el7ost.noarch.rpm	SHA-256: 7490cfcdb2d50176b998c28d5f33d3e5f3cf2e5c5f7998fbe93fb3752fd74a9a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation