RHSA-2018:2102 - Security Advisory

Topic

An update is now available for Red Hat OpenStack Platform 10.0 (Newton) for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenStack Platform provides the facilities for building, deploying
and monitoring a private or public infrastructure-as-a-service (IaaS) cloud
running on commonly available physical hardware.

Security Fix(es):

• dpdk: Information exposure in unchecked guest physical to host virtual address translations (CVE-2018-1059)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

The CVE-2018-1059 issue was discovered by Maxime Coquelin (Red Hat).

Solution

Before applying this update, ensure all previously released errata relevant
to your system have been applied.

Red Hat OpenStack Platform 10 runs on Red Hat Enterprise Linux 7.4.

The Red Hat OpenStack Platform 10 Release Notes contain the following:

• An explanation of the way in which the provided components interact to

form a working cloud computing environment.

• Technology Previews, Recommended Practices, and Known Issues.
• The channels required for Red Hat OpenStack Platform 10, including which

channels need to be enabled and disabled.

The Release Notes are available at:
https://access.redhat.com/documentation/en/red-hat-openstack-platform/10/paged/release-notes

This update is available through 'yum update' on systems registered through
Red Hat Subscription Manager. For more information about Red Hat
Subscription Manager, see:

https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/index.html

Affected Products

• Red Hat OpenStack 10 x86_64

Fixes

• BZ - 1540017 - ovs-vswitchd systemd process timesout in environments with large (200G) hugepages
• BZ - 1540158 - RHOS10.z OVS 1802 update
• BZ - 1540164 - RHOS10.z 1802 Rebase OVS with branch-2.6
• BZ - 1540175 - RHOS10.z 1802 Rebase DPDK with LTS branch
• BZ - 1542107 - Live migration fails on OSPd10 DPDK env because of selinux denied
• BZ - 1544298 - CVE-2018-1059 dpdk: Information exposure in unchecked guest physical to host virtual address translations
• BZ - 1546198 - [RFE] ovs-stats metrics list to add to collectd
• BZ - 1549893 - Issue with pCPUs for PMDs not running 100% in user space, but a relatively high amount of time in kernel space
• BZ - 1550124 - "upcall_cb failure: ukey installation fails" message in OVS DPDK
• BZ - 1550398 - failed to start vhost interface after updating ovs to 2.9 in osp10
• BZ - 1551682 - ovs-vswitchd segfaults after any instance is spawned on numa 1 socket
• BZ - 1553812 - Update openvswitch 2.6 to use stable DPDK 16.11.5
• BZ - 1556662 - vhostuser interface link is down sometimes unexpectedly
• BZ - 1561939 - Backport from master OVS for "LACP: check active partner sys id"
• BZ - 1572510 - OSP10: Support for dpdkvhostuserclient mode
• BZ - 1579905 - Update OSP10 to OVS 2.9 -19 Fast Datapath build 18.04
• BZ - 1583750 - openvswitch-2.9.0-19.el7fdp installs /var/log/openvswitch with permissions 0755 [openstack-10]

CVEs

• CVE-2018-1059

References

• https://access.redhat.com/security/updates/classification/#moderate