Operating System:

[LINUX][RedHat]

Published:

08 April 2015

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2015.0891 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0891
        Important: openstack-packstack and openstack-puppet-modules
                        security and bug fix update
                               8 April 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openstack-packstack
                   openstack-puppet-modules
Publisher:         Red Hat
Operating System:  Red Hat
                   Linux variants
Impact/Access:     Root Compromise -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-1842  

Reference:         ESB-2015.0887

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2015-0789.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: openstack-packstack and openstack-puppet-modules security and bug fix update
Advisory ID:       RHSA-2015:0789-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-0789.html
Issue date:        2015-04-07
CVE Names:         CVE-2015-1842 
=====================================================================

1. Summary:

Updated openstack-packstack and openstack-puppet-modules packages that fix
one security issue and several bugs are now available for Red Hat
Enterprise Linux OpenStack Platform 6.0.

Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux OpenStack Platform 6.0 for RHEL 7 - noarch

3. Description:

PackStack is a command-line utility for deploying OpenStack on existing
servers over an SSH connection. Deployment options are provided either
interactively, using the command line, or non-interactively by means of a
text file containing a set of preconfigured values for OpenStack
parameters. PackStack is suitable for proof-of-concept installations.
PackStack is suitable for deploying proof-of-concept installations.

It was discovered that the puppet manifests, as provided with the
openstack-puppet-modules package, would configure the pcsd daemon with a
known default password. If this password was not changed and an attacker
was able to gain access to pcsd, they could potentially run shell commands
as root. (CVE-2015-1842)

This issue was discovered by Alessandro Vozza of Red Hat.

This update also fixes the following bugs:

* If OpenStack Networking is enabled, Packstack would display a warning if
the Network Manager service is active on hosts. (BZ#1117277)

* A quiet dependency on a newer version of selinux-policy causes
openstack-selinux 0.6.23 to fail to install modules when paired with
selinux-policy packages from Red Hat Enterprise Linux 7.0 or 7.0.z.
This causes Identity and other OpenStack services to receive 'AVC' denials
and malfunction under some circumstances. The following workarounds allow
the OpenStack services to function correctly:

1) Leave openstack-selinux at 0.6.18-2.el7ost until you are ready to update
to Red Hat Enterprise Linux 7.1. At that time, a 'yum update' will resolve
the issue.

2) Install the updated selinux-policy and selinux-policy-targeted packages
from Red Hat Enterprise Linux 7.1 (version selinux-policy-3.13.1-23.el7 or
later), then update openstack-selinux to version 0.6.23-1.el7ost.
(BZ#1195252)

* A typo in the code caused a Sahara option that uses OpenStack Networking
to be always false. Sahara now uses OpenStack Networking if the parameter
'CONFIG_NEUTRON_INSTALL is set to 'y'. (BZ#1199047)

* Prior to this update, users had to install the OpenStack Unified Client
separately after an installation of Packstack. Packstack now installs it by
default. (BZ#1199114)

* This enhancement updates Packstack to retain temporary directories when
running an installation in debug mode. This assists with troubleshooting
activities. As a result, temporary directories are not deleted when running
Packstack with the --debug command line option. (BZ#1199565)

* Prior to this update, some validators did not use 'validate_not_empty' to
ensure that certain parameters contained values. As a result, a number of
internal validations could not be properly handled, leading to the
possibility of unexpected errors. This update fixes validators to use
validate_not_empty when required, resulting in correct validation behavior
from validators. (BZ#11995889)

In addition to the above issues, this update also addresses bugs and
enhancements which can be found in the Red Hat Enterprise Linux OpenStack
Platform Technical Notes, linked to in the References section.

All openstack-packstack and openstack-puppet-modules users are advised to
upgrade to these updated packages, which correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1117277 - Test Packstack/RHEL OSP on RHEL 7 nodes where Network Manager is NOT disabled
1123117 - Deploy Keystone in Apache httpd
1171744 - Configure TCP keepalive setting via puppet-rabbitmq
1172305 - [RFE] Support Keystone read-only LDAP configuration with domain-specific identity backends
1173930 - Horizon help url in RHEL-OSP6 points to the RHEL-OSP5 documentation
1187343 - Packstack does not install Ironic with CONFIG_IRONIC_INSTALL flag set to "y"
1187706 - problems with puppet-keystone LDAP support
1193889 - puppet restart neutron server every 30 minutes on evironments deployed by staypuft
1195252 - [keystone] - selinux denial
1195258 - Packstack doesn't set firewall so vxlan traffic can be received in multinode setup
1199047 - The value of use_neutron is set to false (instead of true) when neutron is used.
1199072 - packstack does not set ironic password
1199076 - glance_image provider doesn't respect custom region name
1199085 - RHOS backport RDO fix for packstack error: Error: sysctl -p /etc/sysctl.conf returned 255 instead of one of
1199114 - add openstack unified client
1199423 - Use flake8 and hacking instead of pep8 for Python syntax checks
1199427 - Cherrypick documentation fixes from RDO
1199519 - Packstack install AMQP with SSL, fails to start rabbitmq service
1199547 - Install rhos-log-collector only on RHEL systems
1199549 - Backport packstack RDO fixes for rebased modules
1199562 - RFE: Allow command-line options with --gen-answer-file
1199565 - Do not delete temporary directories after a failed installation in debug mode
1199589 - Cherry pick internal Packstack enhancements from RDO
1199677 - Update OSP OPM to the latest RDO package
1201875 - CVE-2015-1842 openstack-puppet-modules: pacemaker configured with default password
1202107 - packstack --help throws a traceback at the end of the output
1204482 - nova-novncproxy fails with ValidationError: Origin header protocol does not match this host

6. Package List:

Red Hat Enterprise Linux OpenStack Platform 6.0 for RHEL 7:

Source:
openstack-packstack-2014.2-0.20.dev1467.g70c9655.el7ost.src.rpm
openstack-puppet-modules-2014.2.13-2.el7ost.src.rpm

noarch:
openstack-packstack-2014.2-0.20.dev1467.g70c9655.el7ost.noarch.rpm
openstack-packstack-doc-2014.2-0.20.dev1467.g70c9655.el7ost.noarch.rpm
openstack-packstack-puppet-2014.2-0.20.dev1467.g70c9655.el7ost.noarch.rpm
openstack-puppet-modules-2014.2.13-2.el7ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-1842
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/6/html/Technical_Notes/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVJIwIXlSAg2UNWIIRAsCcAJwJJgMiSeZR4LcGJojRRw3ZPGQGzACgngwB
Pv0MBb8SUgDiiKc/3zJ1Uo4=
=bo/b
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVSSkSRLndAQH1ShLAQIlWg/8CIL94LCvgzCifeeiWqQIcUlVw8TS3iFR
XjhPM2IAtZPJIAEullmS57XHaPKfY/SUKDv6DNbmkYQ8wHqWCSBmJFZtNhBFelC0
kZsk+8WUFgoOArRRt5ja+28Voj0ann1XSbL82fudDraFJg10wCymHUKQievVGtRF
wTXXL5TOZui3bxV3XxYcw0N3qqcjnFabGiIOIBkcETZX77l4ayHuVLdB/zthq1uF
OXWGqZ7zGPDoJ943gGhCGU52MLkwAHraJhwh41Os8qz5N06wkEZWyX6tKBkNIk6Z
xfU+G4Sg+zYaH7Wvb6XKImeuoyLUiJtdeLl4ICwanwzyGGlrcIFqvNMLMVVW3cN2
7Jv7dQPoVd5gLqpMwse5hnNYmZKXLtr+/qOiS2b9cy0oCF58IlEF3/mKSNyZkfwy
i/PBkSoQlWBCmJPdYrq+cxckYn09t1gQ1NiRhW0cn5zVfEacpErlYEoyBdYFuGga
IUyj6OEqDbr+4MWA1D0dttD7igd4i3Q1z5aY2lXxPy/xUI3ANjCaunMAlA2jGLuz
nGpuyLoAI1rMpLNnh7oAAMN+BmIXT65OFn3CXpto7PXqz++q+A8eHHXhaK6DVl0+
cQjbkDAj06UyBBC6o/uMqV7Kzs9tmxdSMyeAgzlT/K9WIChgUn+zC5XwStF048WY
i6lipKNzfbs=
=6nKL
-----END PGP SIGNATURE-----