RHSA-2018:2332 - Security Advisory

Topic

An update for openstack-nova is now available for Red Hat OpenStack
Platform 12.0 (Pike).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

OpenStack Compute (nova) launches and schedules large networks of virtual
machines, creating a redundant and scalable cloud computing platform.
Compute provides the software, control panels, and APIs required to
orchestrate a cloud, including running virtual machine instances and
controlling access through users and projects.

The following packages have been upgraded to a later upstream version:
openstack-nova (16.1.4). (BZ#1591212)

Security Fix(es):

• openstack-nova: Swapping encrypted volumes can allow an attacker to corrupt the LUKS header causing a denial of service in the host (CVE-2017-18191)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

For more information about the bug fixes and enhancements included with this update, see the "Technical Notes" section of the Release Notes
linked in the References section.

Solution

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenStack for IBM Power 12 ppc64le
• Red Hat OpenStack 12 x86_64

Fixes

• BZ - 1516271 - [RHOS-12.0.z] Add RPM deps to require install of qemu-kvm-rhev, not qemu-kvm-rhel
• BZ - 1537047 - Bug in log output in hardware.py "Not enough available memory to schedule instance" prints full memory instead of available memory
• BZ - 1539703 - By rebuilding twice with the same "forbidden" image one can circumvent scheduler rebuild restrictions
• BZ - 1546937 - CVE-2017-18191 openstack-nova: Swapping encrypted volumes can allow an attacker to corrupt the LUKS header causing a denial of service in the host
• BZ - 1547578 - Nova assumes that a volume is fully detached from the compute if the volume is not defined in the instance's libvirt definition
• BZ - 1556851 - Instance hard reboots fail due to a TimeoutException being thrown waiting for vif-plugged events from Neutron
• BZ - 1557938 - [BACKPORT Request] Nova returns a traceback when it's unable to detach a volume still in use
• BZ - 1558706 - [OSP 12] nova get-password returns blank line
• BZ - 1569955 - preallocate_images = space is not honoured when using qcow2
• BZ - 1570314 - When creating a stack with not enough resource, volumes remain in attaching
• BZ - 1572836 - nova-compute should log messages about stale resource allocations at warning priority
• BZ - 1573799 - Fix setting tx_queue_size when rx_queue_size is not set
• BZ - 1575985 - Duplicate imports of oslo_config types
• BZ - 1579785 - On split-stack setups, left over node information prevents a node from rejoin the cloud
• BZ - 1590514 - Rebase openstack-nova to aa7714c
• BZ - 1591212 - Rebase openstack-nova to 16.1.4
• BZ - 1591296 - [RHOS-12][rebase] Lift the restriction on choices for `cpu_model_extra_flags` config attribute

CVEs

• CVE-2017-18191

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/release_notes/