Issued:: 2017-11-15
Updated:: 2017-11-15

RHSA-2017:3227 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: openstack-aodh security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for openstack-aodh is now available for Red Hat OpenStack Platform 10.0 (Newton).

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

openstack-aodh provides the ability to trigger actions based on defined rules against metric or event data collected by OpenStack Telemetry (ceilometer) or Time-Series-Database-as-a-Service (gnocchi).

Security Fix(es):

A verification flaw was found in openstack-aodh. As part of an HTTP alarm action, a user could pass in a trust ID. However, the trust could be from anyone because it was not verified. Because the trust was then used by openstack-aodh to obtain a keystone token for the alarm action, a malicious user could pass in another person's trust ID and obtain a keystone token containing the delegated authority of that user. (CVE-2017-12440)

This issue was discovered by Luke Hinds (Red Hat). Upstream acknowledges Zane Bitter (Red Hat) as the original reporter.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 10 x86_64

Fixes

BZ - 1478834 - CVE-2017-12440 openstack-aodh: Aodh can be used to launder Keystone trusts

CVEs

CVE-2017-12440

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 10

SRPM
openstack-aodh-3.0.4-1.el7ost.src.rpm	SHA-256: b8a12c322f8e55f869bcd03ffb6b45b97be6ffc8807c85cc9d2669c63912d4fa
x86_64
openstack-aodh-api-3.0.4-1.el7ost.noarch.rpm	SHA-256: 7df70ba47f05f874192483005115c2d6be32db31f6d74afee621d85b02952613
openstack-aodh-common-3.0.4-1.el7ost.noarch.rpm	SHA-256: 14e1b967477290bca99bff5d19f18a064e3033eaf4c83e98b1f885ec688bc4ae
openstack-aodh-compat-3.0.4-1.el7ost.noarch.rpm	SHA-256: 2f3dd58a38ba3903037209d05cada642df70c28e93aaf69df9f4578bf5995863
openstack-aodh-evaluator-3.0.4-1.el7ost.noarch.rpm	SHA-256: cb9c0acb6cf38e239b858e60927381571a868683444cd1e4b0570f1d78e7bc4d
openstack-aodh-expirer-3.0.4-1.el7ost.noarch.rpm	SHA-256: c59cc2a6c7d22817a9e8fe1c85f08d5b74ab36d5a871a9e2214858d103db011e
openstack-aodh-listener-3.0.4-1.el7ost.noarch.rpm	SHA-256: 06ba2c48af0a026b028c1dbf3c1922340085435571393e7f3b73f5896e04783b
openstack-aodh-notifier-3.0.4-1.el7ost.noarch.rpm	SHA-256: df5e9407c9c711ddc4a1b0274454b357ffcc5de8e420b57ddb13deefc22f6442
python-aodh-3.0.4-1.el7ost.noarch.rpm	SHA-256: 60af3860ee7733bdf2d910884fff95c40863daca9d0a80a5fdc7c39e61dcf827
python-aodh-tests-3.0.4-1.el7ost.noarch.rpm	SHA-256: 6cedab183fae12172c6258c95498eb4b36685876f7ea20ca87c5e9e5844b2c20

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation