Issued:: 2018-02-13
Updated:: 2018-02-13

RHSA-2018:0315 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: openstack-aodh security update

Type/Severity

Security Advisory: Moderate

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for openstack-aodh is now available for Red Hat OpenStack Platform 11.0 (Ocata).

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

openstack-aodh provides the ability to trigger actions based on defined rules against metric or event data collected by OpenStack Telemetry (ceilometer) or Time-Series-Database-as-a-Service (gnocchi).

openstack-aodh has been rebased to the upstream 4.0.2-3 version.

Security Fix(es):

A verification flaw was found in openstack-aodh. As part of an HTTP alarm action, a user could pass in a trust ID. However, the trust could be from anyone because it was not verified. Because the trust was then used by openstack-aodh to obtain a keystone token for the alarm action, a malicious user could pass in another person's trust ID and obtain a keystone token containing the delegated authority of that user. (CVE-2017-12440)

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Zane Bitter (Red Hat) as the original reporter.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 11 x86_64

Fixes

BZ - 1478834 - CVE-2017-12440 openstack-aodh: Aodh can be used to launder Keystone trusts
BZ - 1511108 - Rebase openstack-aodh to 221a74e
BZ - 1531873 - Rebase openstack-aodh to c77c0aa

CVEs

CVE-2017-12440

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 11

SRPM
openstack-aodh-4.0.2-3.el7ost.src.rpm	SHA-256: 398069debbf83c44f65f471f360592831bd1a4714ad1b4e8fab2a189736e9464
x86_64
openstack-aodh-api-4.0.2-3.el7ost.noarch.rpm	SHA-256: d5fad92a73d200bb99f1e60e3777a8ce4c8d23dc94a1c65b5d02b2bc5644a33c
openstack-aodh-common-4.0.2-3.el7ost.noarch.rpm	SHA-256: 27de9be0233a2328eb3d6bc0d52e7ac7bd40299b0bf4bb034b1bef4b5857420f
openstack-aodh-compat-4.0.2-3.el7ost.noarch.rpm	SHA-256: 2407a306594721612f9527ce61e40af3c1f5bb91fedf0e6f9ae619a283b65ff8
openstack-aodh-evaluator-4.0.2-3.el7ost.noarch.rpm	SHA-256: 2f4af852211e599c5c690e25d7d0a3bb3c000218f58b18f3bd6bf72a090c28ee
openstack-aodh-expirer-4.0.2-3.el7ost.noarch.rpm	SHA-256: d0875e3518a0df4342f805f5c02040d19022fb437f2ce2eb5d6b72cf60607f57
openstack-aodh-listener-4.0.2-3.el7ost.noarch.rpm	SHA-256: 21f4ed1c294288b5dcc1a293805cbb7e2aabda47259debfa2918fab5a99e29a6
openstack-aodh-notifier-4.0.2-3.el7ost.noarch.rpm	SHA-256: 607cce5cd8ca3b526c3c5d8126f1d4704693056fc3ecaf450ec76539b1704629
python-aodh-4.0.2-3.el7ost.noarch.rpm	SHA-256: 22a7a2bd452c7e40ec91fe7566c4698e239407581be1ffabf186b0974d48d91c
python-aodh-tests-4.0.2-3.el7ost.noarch.rpm	SHA-256: 4638c2c151917b1a4a5eb139b42df0cc8bd372283138099c2e3843df55b45aa5

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation