Issued:
2017-05-17
Updated:
2017-05-17

RHSA-2017:1242 - Security Advisory

Synopsis

Important: Red Hat OpenStack Platform director security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for Red Hat OpenStack Platform 10.0 (Newton).

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service (IaaS) cloud based on Red Hat OpenStack Platform.

Security Fix(es):

  • A design flaw issue was found in the Red Hat OpenStack Platform director use of TripleO to enable libvirtd based live-migration. Libvirtd is deployed by default (by director) listening on 0.0.0.0 (all interfaces) with no-authentication or encryption. Anyone able to make a TCP connection to any compute host IP address, including 127.0.0.1, other loopback interface addresses, or in some cases possibly addresses that have been exposed beyond the management interface, could use this to open a virsh session to the libvirtd instance and gain control of virtual machine instances or possibly take over the host. (CVE-2017-2637)

A KCS article with more information on this flaw is available at:
https://access.redhat.com/solutions/3022771

This issue was discovered by David Gurtner (Red Hat).

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenStack 10 x86_64

Fixes

  • BZ - 1416228 - rhosp-director: Failed to minor update overcloud - fails before running yum update.
  • BZ - 1428017 - Package update fails in the compute node
  • BZ - 1428240 - CVE-2017-2637 rhosp-director:libvirtd is deployed with no authentication
  • BZ - 1437016 - tripleo client stuck in IN_PROGRESS in overcloud update run
  • BZ - 1441982 - [UPDATES] Update of mod_ssl package prevents haproxy from starting
  • BZ - 1448062 - Unable to log in via SSH to compute nodes with the heat-admin user

CVEs

References

Red Hat OpenStack 10

SRPM
openstack-nova-14.0.3-9.el7ost.src.rpm SHA-256: d17d6eb67bf8b6c3c3cc6412c3aa9a512ffc5848e2f4d2829f05fce08904cc6c
openstack-tripleo-common-5.4.1-6.el7ost.src.rpm SHA-256: 29d5ad3af7edf144eb940f7569a9c6bab029bc5a7ca0cfb2ed86246ea982474e
openstack-tripleo-heat-templates-5.2.0-15.el7ost.src.rpm SHA-256: 8092c5fbd06d3d7170103ff8784738daceeb8e434fd2a3bcaaa7be700eb4fcad
openstack-tripleo-puppet-elements-5.2.0-3.el7ost.src.rpm SHA-256: 3968c3428a87b3f6b9b1c07ef3693b44618dfbd95c41696689f63f6eb9bf0507
puppet-nova-9.5.0-4.el7ost.src.rpm SHA-256: ee1e0a41f3f9ae5f63c452ac22ab317556a7fc3a4aae6f0b95940e57a19d1183
puppet-tripleo-5.5.0-12.el7ost.src.rpm SHA-256: 5a36f203f05c37a213fd8548bc636821471520883a183d16baf87d957c5bdcd2
x86_64
openstack-nova-14.0.3-9.el7ost.noarch.rpm SHA-256: ab5850c41840956964dcc762024cfcf2891015c9edefe5098bd59856765511d5
openstack-nova-api-14.0.3-9.el7ost.noarch.rpm SHA-256: dedaad259c71f2b7ff9e654b17bf28df89a929ac1acdecfe80eb0618387f6631
openstack-nova-cells-14.0.3-9.el7ost.noarch.rpm SHA-256: f16d66d2dac33a10c0080aaef0ba52b67479c39c39ff68a5ffad60647cf41ea5
openstack-nova-cert-14.0.3-9.el7ost.noarch.rpm SHA-256: 60351be121b3eb97005726d179c0f6e2a93fd34e8a007b5e08aa0b01cb4163b7
openstack-nova-common-14.0.3-9.el7ost.noarch.rpm SHA-256: 21bfc4edf193f02707b54016c3b0891c7540eece9bc622b1c856cef93043a2e1
openstack-nova-compute-14.0.3-9.el7ost.noarch.rpm SHA-256: 2cee3e5d21b5f93875fcb89f718380cdd3c05e004376f1aad69840a6fec76e03
openstack-nova-conductor-14.0.3-9.el7ost.noarch.rpm SHA-256: 1a5169f2877832f3385ecabf15c582fa373659fb70bbbdcb307095a331604d43
openstack-nova-console-14.0.3-9.el7ost.noarch.rpm SHA-256: f3228bc17daba149e2cb6e76f61721b7be2202b8238f7c432f3d4622f6f2b982
openstack-nova-migration-14.0.3-9.el7ost.noarch.rpm SHA-256: 77a67682b8b129017a999a99f90549c3eee67e9319f38b92f9fa44a53347d676
openstack-nova-network-14.0.3-9.el7ost.noarch.rpm SHA-256: cd6acd9dac1aaaf47ac2821c673652d4e7bcd9930cf03f5a936fe0ce70c98489
openstack-nova-novncproxy-14.0.3-9.el7ost.noarch.rpm SHA-256: 7f448f42e4e0b5a2a36eb78c879d56dd38a90fe2b1b978c617ecfd99165dcf95
openstack-nova-placement-api-14.0.3-9.el7ost.noarch.rpm SHA-256: 0b2ed986fd13be7ad7956bab7b0d0a41901708b6357ba5c8944ea77af7782465
openstack-nova-scheduler-14.0.3-9.el7ost.noarch.rpm SHA-256: 61f1cf9fbf0ad0fee9353c3c022a7d8637dd92e1e72e8e036d5c19d6051ee4ae
openstack-nova-serialproxy-14.0.3-9.el7ost.noarch.rpm SHA-256: 6c7e82cf134d39ac450dc69ad4e527974c3aa7c7b94aa49d326f0291b2b5581a
openstack-nova-spicehtml5proxy-14.0.3-9.el7ost.noarch.rpm SHA-256: 15454659dc5aa0f991d5f7dbdcef9ea5fe80070af80031cbfa0dc664116b79bd
openstack-tripleo-common-5.4.1-6.el7ost.noarch.rpm SHA-256: 7c7b412ecd4771febc142e518de63a051107a3eb963b5286513a23b71adfbbaa
openstack-tripleo-heat-templates-5.2.0-15.el7ost.noarch.rpm SHA-256: 0d2e2a4c7d47eb35e3ec9ca91481c79d50e45ff29060808f3c24277dbe9227c7
openstack-tripleo-puppet-elements-5.2.0-3.el7ost.noarch.rpm SHA-256: 324c1c0c0a4bb3aa95292b723ff15c712ff73c6e801b4e1107859b1f8f44a18f
puppet-nova-9.5.0-4.el7ost.noarch.rpm SHA-256: 2c5c4819f94ab564d1e1b511daaec89b74639b8413609dcf2a74e1404554b055
puppet-tripleo-5.5.0-12.el7ost.noarch.rpm SHA-256: 0284ca8fe90acbbd81f2a9a6b86aabeca35abde5443e408e7071c8eff3846b90
python-nova-14.0.3-9.el7ost.noarch.rpm SHA-256: f9a29495944c7f4a797ff67a9493bd9de682e1e95529ac5b847f651311ad88ec
python-nova-tests-14.0.3-9.el7ost.noarch.rpm SHA-256: bb15bc2a1b42657139e9368842c252eded23763fe4c5e18afb806eddfc43c433

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.