RHSA-2024:9978 - Security Advisory

Topic

An update for openstack-tripleo-heat-templates is now available for Red Hat
OpenStack Platform (RHOSP) 17.1 (Wallaby).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Heat templates for TripleO

Security Fix(es):

• cleartext passwords exposed in logs (CVE-2024-4840)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

Solution

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenStack 17.1 for RHEL 9 x86_64

Fixes

• BZ - 2235206 - OSPDO 17.1 computeHCI + STF deployment fails on podman executable not found
• BZ - 2242069 - tripleo_firewall not removing legacy/old firewall rules
• BZ - 2243267 - [OSP17.1] FFU 16.2 to 17.1. Undercloud leapp upgrade fails because /usr/libexec/vdoprepareforlvm file missing
• BZ - 2247302 - Manage QEMU driver cgroups with systemd-machined
• BZ - 2249881 - Time consuming HC script
• BZ - 2252442 - Problem with networks definition in roles ComputeOvsDpdkSriov and ComputeOvsDpdkSriovRT
• BZ - 2255302 - Set cephfs_filesystem_name by heat templates
• BZ - 2264238 - After Upgrading the containers on the Compute nodes to RHEL 9.2 Instance are getting down during FFU from 16.2 to 17.2
• BZ - 2269219 - tripleo_iptables doesn't apply rules idempotently
• BZ - 2274355 - OpenStack commands to undercloud fail after CA certificate renewed
• BZ - 2275307 - Active instances are being shutoff after host reboot
• BZ - 2276136 - NovaIronic/nova-compute isn't starting on controller after uprading to RHOSP17.1
• BZ - 2276592 - [OSP17.1] Deploying with IPv6 addresses ending with :: is not allowed. Need to add 0 at the end.
• BZ - 2276865 - Tracking BZ for tripleo_nftables backports
• BZ - 2278019 - Add tags to ceph version validation task during FFU
• BZ - 2279464 - Instance creation with vTPM fails after restarting nova_virtqemud due to SELinux permission issue
• BZ - 2279998 - Command for retrieving VIPs hosted on pacemaker nodes is broken
• BZ - 2280249 - CVE-2024-4840 rhosp-director: cleartext passwords exposed in logs
• BZ - 2284645 - FFU 16.2 to 17.1 Tried to pull novalibvirt image from cdn and failed
• BZ - 2290685 - during FFU to OSP 17.1 selinux turn on permissive at computes after their leapp upgrade step
• BZ - 2293048 - 17.1 minor update has control plane API outage
• BZ - 2293735 - Upgrade [FFU 16.2 to 17.1] fails on 6.2.3 with cephadm command not found.
• BZ - 2295402 - Failed to load /etc/firewalld/firewall.conf
• BZ - 2295757 - [FFU] After OVN controllers are upgraded we need to confirm that they are running properly before upgrading OVN control plane
• BZ - 2295948 - Underlcoud upgrade failing on "migrate existing introspection data" task durin upgrades 16.2 to 17.x
• BZ - 2302191 - {{role.name}}ExtraGroupVars is not merged strategy.
• BZ - 2303551 - [OVN+VLAN+DVR] Flooded packets testing e/w with different tenant networks
• BZ - 2304312 - collectd fails to start
• BZ - 2305981 - OSP16.2 to OSP17.1 upgrade breaks GRUB and makes it try to boot RHEL7
• BZ - 2306489 - During upgrade 16.2-17.1 overcloud_upgrade_prepare.sh fails pulling docker://k8s.gcr.io/pause:3.5
• BZ - 2307256 - [FFU] Ceph noout/norecover/etc flags are set during step 1, but were not unset at step-5
• BZ - 2307307 - [Regression] changes to the way mod_auth_oidc handles headers break federation
• BZ - 2310427 - [bug][RHOS17.1] Infra vlans not working when deploying a compute with it's bond on a nic-partitioned vf
• BZ - 2311465 - FFU 16to17. System upgrade process is interrupted after undercloud reboot if OS was created from default RHEL 8.4 image
• BZ - 2313372 - neutron control plane outage during 17.1 minor update
• BZ - 2313502 - FFU - 16.2 -->17.1 os undercloud upgrade failed due to "Unsupported parameters for (dnf) module"
• BZ - 2314658 - Task "Block OUTPUT SYN packets to this node on other haproxy nodes" fails during 17.1 minor update
• BZ - 2316083 - Missing fw rule for pcsd breaks composable ha and instanceha deployments
• BZ - 2320400 - [FFU 16.2 to 17.1] overcloud upgrade fail at "Loop on OVN_Southbound cluster for leader election"

CVEs

• CVE-2024-4840

References

• https://access.redhat.com/security/updates/classification/#moderate