RHSA-2022:0995 - Security Advisory

Topic

An update for openstack-tripleo-heat-templates is now available for Red Hat
OpenStack Platform 16.2 (Train).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Heat templates for TripleO

Security Fix(es):

• Data leak of internal URL through keystone_authtoken (CVE-2021-4180)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

Solution

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenStack for IBM Power 16.2 ppc64le
• Red Hat OpenStack 16.2 x86_64

Fixes

• BZ - 1855678 - Configure Ceph Messenger for encryption OTW
• BZ - 1869587 - Octavia and LB issues after OSP13z11 and OSP16.x upgrade
• BZ - 1886762 - [RFE] support NFS mount at the conversion directory
• BZ - 1921112 - [OSP13->OSP16.2] nova-consoleauth still present in cli after upgrade.
• BZ - 1949673 - [RHOSP16.2] [rsyslog] Miss configuration generated in 50_openstack_logs.conf
• BZ - 1949675 - [RHOSP16.2] [rsyslog] rsyslog containers does not forward logs to elasticsearch
• BZ - 1955562 - Backup and Restore: Backup openstack client integration - openstack backup using bad nfs server address is not erroring out
• BZ - 1962304 - cinder volume at DCN unable to read central cephx keyring
• BZ - 1965233 - [FFU 13 -> 16.x] xinetd is running after upgrade, blocking swift_rsync container
• BZ - 1969411 - [RFE]: allow for the deployment of RHCS dashboard on any composable network
• BZ - 1975271 - Minor update does not restart ha resource when it is in failed stated
• BZ - 1976055 - Configuration of Memcached TLS requires the user to duplicate configuration entries
• BZ - 1978228 - [OSP13->OSP16.2] Leapp upgrade failed with TLSEverywhere
• BZ - 1980542 - [16.2] LC_CTYPE: cannot change locale (C.UTF-8) during OC upgrade 13 to 16.2 seems to fail upgrade
• BZ - 1983748 - NeutronL3AgentAvailabilityZone does not set specified value for Availability zone of Neutron L3 agent
• BZ - 1984555 - [RHOSP16.2] Smart plugin doesn't work for CAP_SYS_RAWIO capability missing.
• BZ - 1984875 - [OSP13->16.2] the leapp persistentnetnamesdisable actor should be removed so that a reboot can be avoided
• BZ - 1992506 - [RHOSP16.2] dpdk ovs vhost postcopy requires to start ovs with --mlockall=no
• BZ - 1999324 - NovaLiveMigrationPermitAutoConverge should default to true to match NovaLiveMigrationPermitPostCopy
• BZ - 1999725 - [RFE] Allow for the deployment of Ganesha on the overcloud "external" network
• BZ - 2000582 - ceph ssl radosgw port is closed for tempest (undercloud node)
• BZ - 2002346 - [OSP-16.2] [Upgrades][TripleO] Revert of the TSX change in tripleoclient
• BZ - 2003176 - [OSP16.2] ovn-dbs pacemaker update_tasks can race with pacemaker update_tasks
• BZ - 2005086 - Unable to disable gateway validation on deployment
• BZ - 2005680 - Cinder __DEFAULT__ volume type is installed but *tripleo* volume type is the real default
• BZ - 2008418 - Stack reconfiguration failed because ha-proxy container crashed during reconfiguration
• BZ - 2009422 - Deployment failing due to "Create /etc/openstack directory if it does not exist" task
• BZ - 2010114 - Openstack ceilometer archival policy is not taking effect
• BZ - 2010703 - rhosp-release package is removed during upgrade from all nodes
• BZ - 2010940 - ceph-nfs not coming up after the FFU
• BZ - 2013913 - Minion should be configured with same default tuning as Undercloud for atleast heat & ironic
• BZ - 2014758 - There's a typo in MySQLInodbBufferPoolSize as it should be MySQLInnodbBufferPoolSize
• BZ - 2021575 - [16.2] openstack overcloud upgrade run times out / HAProxy container fails to start
• BZ - 2022234 - Parameter 'ValidateGatewaysIcmp:false' is not working in OSP16.2
• BZ - 2022691 - [OSP16.2] qemu logs are not accessible on the host
• BZ - 2026290 - Some log files are not collected/relayed by rsyslog to remote log server
• BZ - 2027787 - Undercloud upgrade to 16.2 fails because of missing dependencies of swtpm
• BZ - 2030409 - [OSP16.2] Memcached if off for Heat, Keystone and Nova since caching backend is dogpile.cache.null
• BZ - 2031110 - Long t-h-t role name causes OVNMacAddressPort tag to exceed the neutron tag length limit
• BZ - 2032010 - [OSP16.2.0] neutron-dhcp-agent causes oom issues on controllers
• BZ - 2034189 - Validation if NTP/Chrony is configured during at initial stage of deployment procedure
• BZ - 2034730 - Horizon log not collected/relayed by rsyslog to remote log server
• BZ - 2035793 - CVE-2021-4180 openstack-tripleo-heat-templates: data leak of internal URL through keystone_authtoken
• BZ - 2037940 - [OVN] Enable ovn-monitor-all to help with OVN scale
• BZ - 2038897 - [RHOSP16.2] [DCN] [STF] metrics_qdr containers failed to start with bind address error
• BZ - 2046185 - From time to time memcached stops processing requests and brings down OpenStack control plane
• BZ - 2046211 - [OSP13->OSP16.2] Leapp actors directory change impacting in the upgrade
• BZ - 2050154 - [update] 16.1->16.2 experience a connectivity cut (ping loss) to FIP during update of the controllers.

CVEs

• CVE-2021-4180

References

• https://access.redhat.com/security/updates/classification/#moderate