Issued:: 2017-06-20
Updated:: 2017-06-20

RHSA-2017:1546 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Red Hat OpenStack Platform director security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat OpenStack Platform 8.0 (Liberty).

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service (IaaS) cloud based on Red Hat OpenStack Platform.

Security Fix(es):

A design flaw issue was found in the Red Hat OpenStack Platform director use of TripleO to enable libvirtd based live-migration. Libvirtd is deployed by default (by director) listening on 0.0.0.0 (all interfaces) with no-authentication or encryption. Anyone able to make a TCP connection to any compute host IP address, including 127.0.0.1, other loopback interface addresses, or in some cases possibly addresses that have been exposed beyond the management interface, could use this to open a virsh session to the libvirtd instance and gain control of virtual machine instances or possibly take over the host. (CVE-2017-2637)

A KCS article with more information on this flaw is available at:
https://access.redhat.com/solutions/3022771

This issue was discovered by David Gurtner (Red Hat).

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 8 x86_64

Fixes

BZ - 1428240 - CVE-2017-2637 rhosp-director:libvirtd is deployed with no authentication
BZ - 1457138 - Deployment fails with Error: /Stage[main]/Main/File[/etc/nova/migration/identity]/ensure: change from absent to file failed: Could not set 'file' on ensure: No such file or directory -

CVEs

CVE-2017-2637

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 8

SRPM
openstack-tripleo-heat-templates-0.8.14-29.el7ost.src.rpm	SHA-256: acb154a0343a27e824738c9b5fe62a90c4e962722e3c89e21dd923c03228bb54
openstack-tripleo-puppet-elements-0.0.5-2.el7ost.src.rpm	SHA-256: 6a8bcad487d82cbf64ec2e098cb450b099d27e0223449d77f457ac4ac2835d38
python-tripleoclient-0.3.4-14.el7ost.src.rpm	SHA-256: 50962158c7603d2edcd345d7a6e5faf96bda7292c656d926b622368e1ce0688f
x86_64
openstack-tripleo-heat-templates-0.8.14-29.el7ost.noarch.rpm	SHA-256: 20dc535dfbd904a1e76a382ad49233be35086eca156642af81e3ed09b6e518a9
openstack-tripleo-heat-templates-kilo-0.8.14-29.el7ost.noarch.rpm	SHA-256: 27bf2e0f178e4bbc3c20435597168ce87a41dc6f0e53d95bfffab3af0a10c195
openstack-tripleo-puppet-elements-0.0.5-2.el7ost.noarch.rpm	SHA-256: d86e8e18d21b0f64c7cd464461d1d5f110cec54fff17835973b660a58fcec177
python-tripleoclient-0.3.4-14.el7ost.noarch.rpm	SHA-256: 64123546fd30c76746b34d2419ab02955e9a6e491b23e6186da90c07084fbd75

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation