08 April 2015
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0887 Important: Red Hat Enterprise Linux OpenStack Platform Installer update 8 April 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenStack Platform Installer Publisher: Red Hat Operating System: Red Hat Linux variants Impact/Access: Root Compromise -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-1842 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2015-0791.html Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running OpenStack Platform Installer check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Enterprise Linux OpenStack Platform Installer update Advisory ID: RHSA-2015:0791-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0791.html Issue date: 2015-04-07 CVE Names: CVE-2015-1842 ===================================================================== 1. Summary: Updated Red Hat Enterprise Linux OpenStack Platform Installer packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 6.0. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 6 Installer for RHEL 7 - noarch 3. Description: Red Hat Enterprise OpenStack Platform Installer is a deployment management tool. It provides a web user interface for managing the installation and configuration of remote systems. Deployment of changes is performed using Puppet. Additionally, Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), Preboot Execution Environment (PXE), and Trivial File Transfer Protocol (TFTP) services can be provided. Controlling these services also enables provisioning of physical systems that do not yet have an operating system installed. It was discovered that the puppet manifests, as provided with the openstack-puppet-modules package, would configure the pcsd daemon with a known default password. If this password was not changed and an attacker was able to gain access to pcsd, they could potentially run shell commands as root. (CVE-2015-1842) Note: This flaw only affects Red Hat Enterprise Linux OpenStack Platform installations deployed using the HA feature set. For additional information on addressing this flaw see: https://access.redhat.com/articles/1396123 This issue was discovered by Alessandro Vozza of Red Hat. In addition to the above issue, this update also addresses multiple bugs which are documented in the Red Hat Enterprise Linux OpenStack Platform Technical Notes, linked to in the References section. All Red Hat Enterprise Linux OpenStack Platform Installer users are advised to upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1131584 - If fd0 is in /proc/partitions in the provisioned nodes installation fails with "Specified nonexistent disk fd0 in partition command" 1179892 - Could not retrieve catalog from remote server: Error 400 on SERVER: undefined method `to_a' for "eqlx1":String at /etc/puppet/environments/production/modules/quickstack/manifests/cinder_volume.pp:179 1187815 - Add an indicator to Assigned Hosts table to show when networks have been configured 1188602 - Can't change the IP in interfaces of hosts assigned to an OSP deployment if the interfaces are a bond device 1189921 - [HA] start/stop ordering constraint are not correct and can cause cluster to fail on shutdown 1190185 - OFI not reliably setting IP for tenant bridge when using tunnels 1191519 - Need to increase the value of max_connections in Galera to avoid disconnections 1192513 - Ceilometer not installed correctly via installer 1192862 - Glance fails to start after RHEL-OSP6 install with Ceph backend (missing known_stores) 1192864 - Ceph public network is evaluated to be the Provisioning/PXE network 1193582 - [Neutron][Staypuft] Single Controller fails to create router 1194269 - Deployment will stop on systems which boots/shutdowns quickly and foreman-proxy is terminated before buffer is flushed. 1196310 - Include rhel-ha-for-rhel-7-server-rpms channel for HA deployments 1198032 - VRRP_Instance are on MASTER STATE on all controllers. 1199266 - OSP compute nodes should not rely on ceph command 1199827 - RHEL-OSP-Installer should disable all repos before activating the right ones 1201363 - Changes in fencing require OFI changes 1201875 - CVE-2015-1842 openstack-puppet-modules: pacemaker configured with default password 1202464 - rubygem-staypuft: During deployment -error in reports: Execution of '/usr/bin/systemctl start openstack-nova-compute' returned 1: Job for openstack-nova-compute.service failed 1204483 - HA | Duplicate entry exception for vxlan-allocation cause to neutron-server fail to start. VXLAN. 1204647 - Download of glance image fails because of wrong glance_store option. 1207284 - l2pop and l3-ha should never be turned on together 6. Package List: OpenStack 6 Installer for RHEL 7: Source: foreman-discovery-image-7.0-20150227.0.el7ost.src.rpm foreman-proxy-22.214.171.124-6.el7ost.src.rpm openstack-foreman-installer-3.0.22-1.el7ost.src.rpm openstack-puppet-modules-2014.2.13-2.el7ost.src.rpm rhel-osp-installer-0.5.7-1.el7ost.src.rpm ruby193-rubygem-staypuft-0.5.22-1.el7ost.src.rpm noarch: foreman-discovery-image-7.0-20150227.0.el7ost.noarch.rpm foreman-proxy-126.96.36.199-6.el7ost.noarch.rpm openstack-foreman-installer-3.0.22-1.el7ost.noarch.rpm openstack-puppet-modules-2014.2.13-2.el7ost.noarch.rpm rhel-osp-installer-0.5.7-1.el7ost.noarch.rpm rhel-osp-installer-client-0.5.7-1.el7ost.noarch.rpm ruby193-rubygem-staypuft-0.5.22-1.el7ost.noarch.rpm ruby193-rubygem-staypuft-doc-0.5.22-1.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-1842 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/6/html/Technical_Notes/index.html https://access.redhat.com/articles/1396123 8. Contact: The Red Hat security contact is <firstname.lastname@example.org>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVJHgvXlSAg2UNWIIRAmjiAJ9mRPeObffyQfqpnNijZ5sMTRZ8qACgqGNk lFuldaWjVK6ld2aZ537/+DU= =AvXo - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVSSTKxLndAQH1ShLAQKqCw//eR4AmeJ7HjkKb6tTEUYUYswNYptQdRoY NIkbCaTYFzjA+gwsgsi6NQqcSA60sgHbND6ykb3JXtesKgYov48gziOl15046D18 s9taem01ihVN24uUb5LxK6DiDrvRYRBFyF80Y6qx+4RnxvJkNUMnSFwVOGKqNy8A bXpbw0m3KABao9j7KNV5tw5w7aOrgo8GPR0mOH2TH1CQc0pm+yjyaH9pXyYFdQFi jj+BEKVEauDP777JAgdvCQb/BWZElvIfTwEXw20Ikywl0eLsjbtmx0FVAUcA1ehs upWAZmua4CtqL/xo4TwmbdJ5qcjl41lZ+dYG/8FIwPF/27YIs/74RduhyKymZ8WW FA6KaYvjjIM4O691xhHdP10iTut8pAbfVQWsJEibLC+tMHWtC0ESf8g9OxrwpaYD ULlXyKkaRYZw4UDciwttGPGAbIDhmDjrjxb00Y1fEDZqmk+N5j6jKbHNGE8sgiWr jmriCd5LgRDqBlCPH9QpgGNErsmxhdxLtBM4OFAqcwStMeSXLaD40/78ZWCylZHh RXbJbOnom2NqSuAr7YkJX2l0iWOxnmAZ119XKQ6gftPx6SZtnmd73/4S798tp7fA sfk0u24zVFBAiy1lQ+jnapahOoo7Uv8LpmbQwjFs2op6ktFKXfGW8Rus3TQ7O7mf f11QMsS+rFU= =ri8G -----END PGP SIGNATURE-----