Issued:: 2017-08-08
Updated:: 2017-08-08

RHSA-2017:2447 - Security Advisory

Overview
Updated Packages

Synopsis

Important: openstack-neutron security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for openstack-neutron is now available for Red Hat OpenStack Platform 9.0 (Mitaka).

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenStack Networking (neutron) is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines.

Security Fix(es):

A race-condition flaw was discovered in openstack-neutron where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-arptables, net.bridge.bridge-nf-call-ip6tables, and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources. (CVE-2017-7543)

This issue was discovered by Paul Needle (Red Hat).

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 9 x86_64

Fixes

BZ - 1473792 - CVE-2017-7543 openstack-neutron: iptables not active after update

CVEs

CVE-2017-7543

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 9

SRPM
openstack-neutron-8.3.0-11.1.el7ost.src.rpm	SHA-256: 5bcdd790eec0c13f9e2a86323dd47b6a8de524fb056ed6c0c404100b865262fc
x86_64
openstack-neutron-8.3.0-11.1.el7ost.noarch.rpm	SHA-256: 0dd02d6c6bf120077429202fabb9431991e02212c0ec902356ecd49017f95323
openstack-neutron-bgp-dragent-8.3.0-11.1.el7ost.noarch.rpm	SHA-256: 019c1612b1ac0943911df3b98a0de6aad112891197d5aedf7be9e8f9735c81db
openstack-neutron-common-8.3.0-11.1.el7ost.noarch.rpm	SHA-256: 7c035d67bc4065cc0305277133bfce0c532c60ea75ad0b748729749537c2353f
openstack-neutron-linuxbridge-8.3.0-11.1.el7ost.noarch.rpm	SHA-256: 148c1fd619cbace4dd47f4c2fb8153662979c3b1b96a1bb3a8eb528731cb7a02
openstack-neutron-macvtap-agent-8.3.0-11.1.el7ost.noarch.rpm	SHA-256: 341afc7098a09d23ae61e24155a43923d133678964abc4fdc54054de3daea253
openstack-neutron-metering-agent-8.3.0-11.1.el7ost.noarch.rpm	SHA-256: ff5fb5fe0eab8598117e895d3b00074cb55407190f95931c3a0eafd0b37d49c9
openstack-neutron-ml2-8.3.0-11.1.el7ost.noarch.rpm	SHA-256: ddd7bd0a722c613fb5cd1e4784f5deba8258b25fed15cb6d6341ff6ccce1f683
openstack-neutron-openvswitch-8.3.0-11.1.el7ost.noarch.rpm	SHA-256: f6e847337eb78ec7a0f41c939df40b1e3723fefe16b63d04dca5ca654e88404c
openstack-neutron-rpc-server-8.3.0-11.1.el7ost.noarch.rpm	SHA-256: 11ce8aa32f20f3a8c652f167b182ee6c7342f2186a5088c25abb49572ed3949b
openstack-neutron-sriov-nic-agent-8.3.0-11.1.el7ost.noarch.rpm	SHA-256: 0e5eb62b287adda9cc3c84d9af728cb20ca388e155faa04d11dc966ffb82ab83
python-neutron-8.3.0-11.1.el7ost.noarch.rpm	SHA-256: cbbd34caf4edba4126cb02311814909b064f2da1d753afca7851eaef3e941ad7
python-neutron-tests-8.3.0-11.1.el7ost.noarch.rpm	SHA-256: 1273c8343d50171ac0060cf8bdae75cebb8726fc520c71c54ea366f05b623c70

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation