Red Hat Product Errata RHSA-2018:2715 - Security Advisory

Issued:: 2018-09-17
Updated:: 2018-09-17

RHSA-2018:2715 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: openstack-neutron security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

An update for openstack-neutron is now available for Red Hat OpenStack Platform 10.0 (Newton).

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenStack Networking (neutron) is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines.

Security Fix(es):

openstack-neutron: A router interface out of subnet IP range results in a denial of service (CVE-2018-14635)

For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References section.

Bug Fix(es):

A new configuration option bridge_mac_table_size has been added for the neutron OVS agent. This value is set on every Open vSwitch bridge managed by the openvswitch-neutron-agent. The value controls the maximum number of MAC addresses that can be learned on a bridge. The default value for this new option is 50,000, which should be enough for most systems. Values outside a reasonable range (10 to 1,000,000) might be overridden by Open vSwitch. (BZ#1589031)
Previously, when a VM was destroyed, the IPv6 lease was not removed from dnsmasq lease files due to a missing dhcp_release6 binary.

With this update, the dhcp_release6 binary is now provided in an updated dnsmasq-utils package version. (BZ#1545006)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 10 x86_64

Fixes

BZ - 1404709 - Neutron L3 Agent: AZLeastRoutersScheduler scheduler bug
BZ - 1511394 - FlushError on IPAllocations when multiple subnets in the same network deleted
BZ - 1532280 - ovs-vswitchd service hangs with Error too many open files
BZ - 1545006 - openstack-neutron DHCP agent requires dnsmasq-utils 2.76
BZ - 1561907 - test_sriov is failing on OSP10
BZ - 1570908 - Cannot set --no-share on shared network that has floating_ip, gateway AND a tenant port
BZ - 1575356 - [CI] Issue with addCleanup method causing scenario tests to fail
BZ - 1576256 - neutron-openvswitch-agent cleans up stale flows months after they were created but it does not recreated correct flows and bridge configuration
BZ - 1578414 - Sometimes dhcp_release packet isn't reaching dnsmasq process because it's being reloaded
BZ - 1579400 - Neutron agents attach untagged ports to br-int, which will be trunk port if neutron-openvswitch-agent never handles them
BZ - 1584845 - Packet loss during standby L3 agent restart
BZ - 1589031 - The mac table size of neutron bridges (br-tun, br-int, br-*) is too small by default and eventually makes openvswitch explode
BZ - 1607822 - CVE-2018-14635 openstack-neutron: A router interface out of subnet IP range results in a denial of service

CVEs

CVE-2018-14635

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 10

SRPM
openstack-neutron-9.4.1-28.el7ost.src.rpm	SHA-256: 776e4b913fa895779d6bf1a0b7f16ee1ab65a3927b0cee86b365344f7d0af644
x86_64
openstack-neutron-9.4.1-28.el7ost.noarch.rpm	SHA-256: b10d551ee63139130f0924d1d3bb1ffdf849bdce0726e2295cfba5e6d8ed9f47
openstack-neutron-common-9.4.1-28.el7ost.noarch.rpm	SHA-256: 49af60305354f8ddf6c861b9bb92ff3ed0a428ee9abab9b5679f65e528d63755
openstack-neutron-linuxbridge-9.4.1-28.el7ost.noarch.rpm	SHA-256: 60992bc3c5cd3583e15e5a17a8a686ff32c6719b9536b18009cfaccda72ffc2e
openstack-neutron-macvtap-agent-9.4.1-28.el7ost.noarch.rpm	SHA-256: c6d6d25175234ab83ecfe6389638901a4c3e897c50072fd6683c3c54aa9d31d5
openstack-neutron-metering-agent-9.4.1-28.el7ost.noarch.rpm	SHA-256: 4ce6cf71deb9746406d99400cfd8c3ce3e9bdc7a4dd7a6e1722fc4b5cb26d421
openstack-neutron-ml2-9.4.1-28.el7ost.noarch.rpm	SHA-256: eb7a463c8cbf569fb4ae677faf098e2d791c1f7e69ea5e9f7615276281e35de9
openstack-neutron-openvswitch-9.4.1-28.el7ost.noarch.rpm	SHA-256: 5419376f37836b3d7296a1a3487c3b1351f7aa9bfbb880c29e1ffc80a38188fc
openstack-neutron-rpc-server-9.4.1-28.el7ost.noarch.rpm	SHA-256: aff2fea552ed43ded40bbbdf744ebdbd2e06308a37f56c8a23c7b89ff05ee6ba
openstack-neutron-sriov-nic-agent-9.4.1-28.el7ost.noarch.rpm	SHA-256: 04e08d8c357d3314e109703f0bd0d7b3326896f60cfe682d058e02eacc275c88
python-neutron-9.4.1-28.el7ost.noarch.rpm	SHA-256: bddd5190390a404de06d0e8f1254454bac1bb8e2e140c77cf66a51f7b0c5c40b
python-neutron-tests-9.4.1-28.el7ost.noarch.rpm	SHA-256: 282c8a3037b7bf94d7a8ee02ca72bcb21bb1d5dc55962c0c1c25efbe7d057e46

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories