Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2018:1627 - Security Advisory
Issued:
2018-05-18
Updated:
2018-05-18

RHSA-2018:1627 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: Red Hat OpenStack Platform director security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat OpenStack Platform 11.0 (Ocata).

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenStack Platform director provides the facilities for deploying
and monitoring a private or public infrastructure-as-a-service (IaaS) cloud
based on Red Hat OpenStack Platform.

Security Fix(es):

  • A resource-permission flaw was found in the python-tripleo and openstack-tripleo-heat-templates packages where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.

To exploit this flaw, the attacker must have local access to an overcloud node. However by default, access to overcloud nodes is restricted and accessible only from the management undercloud server on an internal network. (CVE-2017-12155)

This issue was discovered by Katuya Kawakami (NEC).

  • It was discovered that the memcached connections using UDP transport protocol can be abused for efficient traffic amplification distributed denial of service (DDoS) attacks. A remote attacker could send a malicious UDP request using a spoofed source IP address of a target system to memcached, causing it to send a significantly larger response to the target. (CVE-2018-1000115)

This update also includes the following bug fixes and enhancements:

  • Prior to this update, when removing the ceph-osd RPM from overcloud nodes that do not require the package, the corresponding Ceph OSD product key was not removed. Consequently, the subscription-manager would incorrectly report that the Ceph OSD product was still installed.

With this update, the script that handles removal of the ceph-osd RPM now also removes the Ceph OSD product key. Note: The script that removes the RPM and product key executes only during the overcloud update procedure; the product key is removed only when the overcloud node is updated.
As a result, after removing the ceph-osd RPM, the subscription-manager no longer reports the Ceph OSD product is installed. (BZ#1571436)

  • Previously, there were errors in the director Heat template that configures the VMAX Cinder backend driver. Consequently, the VMAX driver would not function correctly. With this update, the errors have been corrected, and the VMAX driver functions correctly. (BZ#1546799)
  • This enhancement adds director support for deploying the Dell EMC VMAX cinder backend. (BZ#1546793)
  • In this enhancement, if a minor update is blocked by an existing yum process that prevents the package update, the process should exit with an appropriate error message. This was added because the minor update may appear to freeze, due to yum waiting for the existing yum.pid to exit; when it eventually fails it is not immediately clear why. As a result, if there is an existing yum process preventing the package update, then the minor update fails with a clear message to indicate this: "ERROR existing yum.pid detected - can't continue! Please ensure there is no other package update process for the duration of the minor update worfklow. Exiting". (BZ#1471721)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenStack 11 x86_64

Fixes

  • BZ - 1445766 - Horizon is not reachable when Horizon service is running on a standalone role
  • BZ - 1471721 - 'openstack overcloud update ...' fails when yum is locked on an overcloud node
  • BZ - 1478274 - notification_format in nova.conf should be set to unversioned as there is no consumer for versioned
  • BZ - 1489360 - CVE-2017-12155 openstack-tripleo-heat-templates: Ceph client keyring is world-readable when deployed by director
  • BZ - 1518009 - os-collect-config doesn't start at boot on split stack deployments with pre-provisioned servers
  • BZ - 1524422 - OSP10 -> OSP11 upgrade: upgrade fails during 'Setup gnocchi db during upgrade' task because httpd is stopped and Keystone is unreacheable
  • BZ - 1546799 - Backport: Fix the dellemc vmax to use the correct hiera name
  • BZ - 1547089 - rhel-registration broken with: Failed to validate: resources.NodeExtraConfig: "conditions" is not a valid keyword inside a resource definition'
  • BZ - 1547956 - Undercloud / Overcloud Heat stack fails on: YAQL list index out of range (includes upgrades cases)
  • BZ - 1548345 - TLS Deployments don't work in Ocata with Pre-Provisioned Nodes
  • BZ - 1550167 - validation-scripts/all-nodes.sh wait time verification
  • BZ - 1551182 - CVE-2018-1000115 memcached: UDP server support allows spoofed traffic amplification DoS
  • BZ - 1552245 - [OSP11] horizon stanza in haproxy.cfg needs tweaking
  • BZ - 1567349 - Rebase openstack-tripleo-heat-templates to 9eafa84
  • BZ - 1567365 - Rebase puppet-tripleo to a2b0d92
  • BZ - 1571436 - "subscription-manager list" shows Ceph OSD after updating overcloud compute nodes
  • BZ - 1577957 - Attempting to Deploy RHOSP-11 with NetApp Driver Causes Failure in Overcloud Deploy

CVEs

  • CVE-2017-12155
  • CVE-2018-1000115

References

  • https://access.redhat.com/security/updates/classification/#moderate
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 11

SRPM
openstack-tripleo-heat-templates-6.2.12-2.el7ost.src.rpm SHA-256: 14ce10098bcc2504c1cbd8a2ef10625034429a13904e2a6813c634818976e3d6
puppet-tripleo-6.5.10-3.el7ost.src.rpm SHA-256: dfd5c882e399b33fb6cc5fc4643763bb5b6fbd1ea90168e7d7445e5f95a42f54
x86_64
openstack-tripleo-heat-templates-6.2.12-2.el7ost.noarch.rpm SHA-256: 29ed22a795730de16c5f08563d1f2ad2ad48ef5ec0d11a0e78cab2c7b2bfa2ca
puppet-tripleo-6.5.10-3.el7ost.noarch.rpm SHA-256: 78c433017e79518dd1454dd5798b7e0209cb7fd1f45ce061f0e934668859d465

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2022 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter