RHSA-2022:0999 - Security Advisory

Topic

An update for openstack-nova is now available for Red Hat OpenStack
Platform 16.2 (Train).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

OpenStack Compute (codename Nova) is open source software designed
to provision and manage large networks of virtual machines,creating a
redundant and scalable cloud computing platform. It gives you the software,
control panels, and APIs required to orchestrate a cloud, including running
instances, managing networks, and controlling access through users and
projects.OpenStack Compute strives to be both hardware and hypervisor
agnostic, currently supporting a variety of standard hardware
configurations and seven major hypervisors.

Security Fix(es):

• novnc allows open redirection (CVE-2021-3654)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

Bug Fix(es):

• Red Hat OpenStack Platform (RHOSP) does not support the use of a fully qualified domain name (FQDN) as the instance display name in a boot server request. The instance display name is passed from the boot server request to the `instance.hostname` field. Some customers use this unsupported naming in their workflows.

A recent update [1] now sanitizes the `instance.hostname` field. The sanitization steps include replacing periods with dashes, a replacement that makes it impossible to continue using the unsupported FQDN instance display names.

This update provides a temporary workaround for customers who use a fully qualified domain name (FQDN) as the instance display name in a boot server request. It limits the scope of the sanitization to cases where the instance display name ends with a period followed by one or more numeric digits.

If you use FQDN as the instance display name in a boot server request, modify your workflow before upgrading to RHOSP 17. (BZ#2036652)

Solution

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenStack for IBM Power 16.2 ppc64le
• Red Hat OpenStack 16.2 x86_64

Fixes

• BZ - 1729485 - [OSP16.2] "Invalid PCI devices Whitelist config error" configuring passthrough_whitelist with new 40Gb NICs due domain in PCI address is greater than FFFF
• BZ - 1908405 - Nova is out of sync with ironic as hypervisor list in nova does not agree with ironic list after reboot of the nodes
• BZ - 1915096 - [OSP16.2] NUMA instance spawn fails on get_best_cpu_topology when there is no 'threads' preference
• BZ - 1961439 - CVE-2021-3654 openstack-nova: novnc allows open redirection
• BZ - 1968735 - [OSP16.2][neutron]http_retries config option value not being used for calls to the port binding API
• BZ - 1972706 - [OSP 16.2] After host reboot VM goes to error state due to nova-compute EmptyCatalog error
• BZ - 1987225 - Compute service DOWN after FFU from RHOSP13 to 16.1 because service version is still 30.
• BZ - 1992863 - [OSP 16.2] Avoid duplicate BDMs during reserve_block_device_name
• BZ - 1998556 - [OSP 16.2] Attempting to start or hard reboot a users instance as an admin with encrypted rbd volumes leaves the instance unbootable
• BZ - 1999583 - [OSP 16.2] Provide a workaround option and/or nova-manage command to force the refresh of connection_info during a hard reboot
• BZ - 2036652 - [HOTFIX] [OSP 16.2] - option for disabling FIX on instance name sanity check
• BZ - 2036690 - If an upper case mac address is used in a heat template, live migration won't work in nova

CVEs

• CVE-2021-3654

References

• https://access.redhat.com/security/updates/classification/#moderate