Synopsis

Moderate: openstack-cinder, openstack-glance, and openstack-nova security update

Type/Severity

Security Advisory: Moderate

Topic

An update for openstack-nova, openstack-cinder, openstack-glance, and python-oslo-concurrency is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The Oslo concurrency library has utilities for safely running multi-thread, multi-process applications using locking mechanisms, and for running external processes.

OpenStack Compute (nova) launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform. Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances and controlling access through users and projects.

OpenStack Image Service (glance) provides discovery, registration, and delivery services for disk and server images. The service provides the ability to copy or snapshot a server image, and immediately store it away. Stored images can be used as a template to get new servers up and running quickly and more consistently than installing a server operating system and individually configuring additional services.

OpenStack Block Storage (cinder) manages block storage mounting and the presentation of such mounted block storage to instances. The backend physical storage can consist of local disks, or Fiber Channel, iSCSI, and NFS mounts attached to Compute nodes. In addition, Block Storage supports volume backups, and snapshots for temporary save and restore operations. Programmatic management is available via Block Storage's API.

Security Fix(es):

• A resource vulnerability in the OpenStack Compute (nova), Block Storage (cinder), and Image (glance) services was found in their use of qemu-img. An unprivileged user could consume as much as 4 GB of RAM on the compute host by uploading a malicious image. This flaw could lead possibly to host out-of-memory errors and negatively affect other running tenant instances.
  oslo.concurrency has been updated to support process limits ('prlimit'), which is needed to fix this flaw. (CVE-2015-5162)
  

This issue was discovered by Richard W.M. Jones (Red Hat).

Bug Fix(es):

• qemu-img calls were unrestricted by ulimit. oslo.concurrency has been updated to add support for process limits ('prlimit'), which is needed to fix the CVE-2015-5162 security vulnerability. (BZ#1383415)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenStack 7 x86_64

Fixes

• BZ - 1268303 - CVE-2015-5162 openstack-nova/glance/cinder: Malicious image may exhaust resources
• BZ - 1316791 - Instance was deleted successfully without detaching its volume, if nova-compute was killed during running "nova delete"
• BZ - 1349005 - cinder volume backup throws UnicodeDecodeError: 'ascii' and access denied
• BZ - 1365899 - Missing dependency of python-oslo-log and python-oslo-policy in openstack-cinder
• BZ - 1370598 - multipathd segfault during volume attach
• BZ - 1378906 - nova-scheduler fails to start because of the too big nova database
• BZ - 1380289 - [Backport] Block based migration doesn't work for instances that have a volume attached
• BZ - 1381533 - Multi-Ephemeral instance Live Block Migration fails silently
• BZ - 1383415 - [CVE-2015-5162] oslo.concurrency: Backport support for 'prlimit' parameter [OSP-7]
• BZ - 1386268 - NetApp Cinder driver: cloning operations are unsuccessful
• BZ - 1391970 - [tempest] test_delete_attached_volume fails in RHOS7
• BZ - 1394964 - Live migration with config-drive fails with InvalidSharedStorage error
• BZ - 1399760 - rbd snapshot delete fails if backend is missing file
• BZ - 1409820 - Creating Encrypted Volumes with Cinder(Ceph backend) gives false positive
• BZ - 1410046 - Multiple attempts made to delete iSCSI multipath path devices
• BZ - 1416884 - [7.0.z] nova creates an invalid ethernet/bridge interface definition in virsh xml
• BZ - 1420451 - revert Use stashed volume connector in _local_cleanup_bdm_volumes from openstack-nova-2015.1.4-28.el7ost

CVEs

• CVE-2015-5162

References

• https://access.redhat.com/security/updates/classification/#moderate

Red Hat OpenStack 7

SRPM
openstack-cinder-2015.1.3-12.el7ost.src.rpm	SHA-256: 1671f2aec1a2ab9e5b79b7d07bb30880ec5053990907d717ef9837cadf51e66b
openstack-glance-2015.1.2-3.el7ost.src.rpm	SHA-256: 1c77574b9d6d093531f4d8af6788f697fe498696febfbc7c6e0bd465eb26a63c
openstack-nova-2015.1.4-32.el7ost.src.rpm	SHA-256: cc0aec2048fc61e514299b2c56c9c250898b090353a1b290185933281cdc9431
python-oslo-concurrency-1.8.2-2.el7ost.src.rpm	SHA-256: 4d9dd95ae7a9b45e5c5ad4faaad7e7433e19b88ef9fa8de2f5488bfc09cd192e
x86_64
openstack-cinder-2015.1.3-12.el7ost.noarch.rpm	SHA-256: e35f32dd13775a5520e1f7b6477c9be71dac7a6b230b5d64cff430b8b7427c9b
openstack-cinder-doc-2015.1.3-12.el7ost.noarch.rpm	SHA-256: 6e0d0016c0192f94a30b9a2cff83f0e6ccabf7cddd95110ee311404c909d5cdd
openstack-glance-2015.1.2-3.el7ost.noarch.rpm	SHA-256: 1cd6c7f9efc4ef3869d6c4857dc8484bbd7a37107ac241a5fee852cbbef76dd2
openstack-glance-doc-2015.1.2-3.el7ost.noarch.rpm	SHA-256: 0f039b168e3d5278e2441b9e228687d1ed8df5dfcb3ab9d3d7a69d6d3ab1c508
openstack-nova-2015.1.4-32.el7ost.noarch.rpm	SHA-256: 1d835e43d589d7220568e0d0a3b5dce1f5a9061789aa32223ebb882200902d62
openstack-nova-api-2015.1.4-32.el7ost.noarch.rpm	SHA-256: c89df4052fbfe3ce3cd375f082df5b5f23f3d69c0fe3a6251c1755abb808665b
openstack-nova-cells-2015.1.4-32.el7ost.noarch.rpm	SHA-256: bc7f7e36bf9600b9d85cc0c977e80e55bf061c8a57414c1919d2da577d4ae5e1
openstack-nova-cert-2015.1.4-32.el7ost.noarch.rpm	SHA-256: dfbff3e35b81ed0406fd319a063ef3a6188bafcbc5bcb344d569f09f4291106b
openstack-nova-common-2015.1.4-32.el7ost.noarch.rpm	SHA-256: ac58e06e8f8c6f90a84600302976ed4f9616116591bd2af43935bc30f0f29b66
openstack-nova-compute-2015.1.4-32.el7ost.noarch.rpm	SHA-256: 054a7100c2e7a287f427e0196fbf16cc2f7e863cf249e315c24e51bfadd882de
openstack-nova-conductor-2015.1.4-32.el7ost.noarch.rpm	SHA-256: e6fa9310a2c07ae3cd0388bad1c1b645b4860f2cd45a3d434659198f4fdbd0b0
openstack-nova-console-2015.1.4-32.el7ost.noarch.rpm	SHA-256: 3f4c5d35b947f0b24c3c47ed5310c9a5878c15bbfb0f5ba0dd3197cf44f057d0
openstack-nova-doc-2015.1.4-32.el7ost.noarch.rpm	SHA-256: 2dbaf14271f8bda27a5cdfd3f390020f61c171c5155f2e7b18403c80df847ef3
openstack-nova-network-2015.1.4-32.el7ost.noarch.rpm	SHA-256: e0648971bb03bfd3217d6ab476ff6d22a41a6135fb73bbb4dcce09cc0c22bfe2
openstack-nova-novncproxy-2015.1.4-32.el7ost.noarch.rpm	SHA-256: 658cf09b30a503d2ae171036296b6be8c35b3e25fb6f76e3beae758added3c57
openstack-nova-objectstore-2015.1.4-32.el7ost.noarch.rpm	SHA-256: 767c43e8d1c4ebc8ca7784ceb8f95f74e4a98005d2b6886f736de69f2d377eb7
openstack-nova-scheduler-2015.1.4-32.el7ost.noarch.rpm	SHA-256: 7ed5f973058aa667eed5a634f7965ef8649bcb1026949fdb90d01d3b06084761
openstack-nova-serialproxy-2015.1.4-32.el7ost.noarch.rpm	SHA-256: bf25089e949bbb440c6a4110043b00f9bbaf27f66a9845e10b4a38807973ad05
openstack-nova-spicehtml5proxy-2015.1.4-32.el7ost.noarch.rpm	SHA-256: b0db3952a3b845bda380c342585b7fed2f451a3a5cf4f37e5f9f7ad0550def23
python-cinder-2015.1.3-12.el7ost.noarch.rpm	SHA-256: 0fce2e265697038d1ac81a2f202bcce231685dae19d09114a470fa1c446256aa
python-glance-2015.1.2-3.el7ost.noarch.rpm	SHA-256: 352dd2bfe618266c759bb372a28ddcd843d17b4eaa1aeba21300f0105589e79d
python-nova-2015.1.4-32.el7ost.noarch.rpm	SHA-256: 286479999eea4a29ca9770f6a570ec10dd3de0431f831ff16687ec13972dbe00
python-oslo-concurrency-1.8.2-2.el7ost.noarch.rpm	SHA-256: 01a3cfac552d832d1f3063663ce4ab50e1f91eaa9c18d5122e6ecb2105bc97af
python-oslo-concurrency-doc-1.8.2-2.el7ost.noarch.rpm	SHA-256: a30975fd3d79ff7cbf3cb6d2bce2935cf60874ba8d4650b4c45d8f6566699491