21 May 2018
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1540 Moderate: Red Hat OpenStack Platform director security update 21 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat OpenStack Platform director Publisher: Red Hat Operating System: Red Hat Impact/Access: Modify Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-1000115 CVE-2017-12155 Reference: ESB-2018.0925 ESB-2018.0638 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:1627 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenStack Platform director security update Advisory ID: RHSA-2018:1627-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2018:1627 Issue date: 2018-05-18 CVE Names: CVE-2017-12155 CVE-2018-1000115 ===================================================================== 1. Summary: An update is now available for Red Hat OpenStack Platform 11.0 (Ocata). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 11.0 - noarch 3. Description: Red Hat OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service (IaaS) cloud based on Red Hat OpenStack Platform. Security Fix(es): * A resource-permission flaw was found in the python-tripleo and openstack-tripleo-heat-templates packages where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume. To exploit this flaw, the attacker must have local access to an overcloud node. However by default, access to overcloud nodes is restricted and accessible only from the management undercloud server on an internal network. (CVE-2017-12155) This issue was discovered by Katuya Kawakami (NEC). * It was discovered that the memcached connections using UDP transport protocol can be abused for efficient traffic amplification distributed denial of service (DDoS) attacks. A remote attacker could send a malicious UDP request using a spoofed source IP address of a target system to memcached, causing it to send a significantly larger response to the target. (CVE-2018-1000115) This update also includes the following bug fixes and enhancements: * Prior to this update, when removing the ceph-osd RPM from overcloud nodes that do not require the package, the corresponding Ceph OSD product key was not removed. Consequently, the subscription-manager would incorrectly report that the Ceph OSD product was still installed. With this update, the script that handles removal of the ceph-osd RPM now also removes the Ceph OSD product key. Note: The script that removes the RPM and product key executes only during the overcloud update procedure; the product key is removed only when the overcloud node is updated. As a result, after removing the ceph-osd RPM, the subscription-manager no longer reports the Ceph OSD product is installed. (BZ#1571436) * Previously, there were errors in the director Heat template that configures the VMAX Cinder backend driver. Consequently, the VMAX driver would not function correctly. With this update, the errors have been corrected, and the VMAX driver functions correctly. (BZ#1546799) * This enhancement adds director support for deploying the Dell EMC VMAX cinder backend. (BZ#1546793) * In this enhancement, if a minor update is blocked by an existing yum process that prevents the package update, the process should exit with an appropriate error message. This was added because the minor update may appear to freeze, due to yum waiting for the existing yum.pid to exit; when it eventually fails it is not immediately clear why. As a result, if there is an existing yum process preventing the package update, then the minor update fails with a clear message to indicate this: "ERROR existing yum.pid detected - can't continue! Please ensure there is no other package update process for the duration of the minor update worfklow. Exiting". (BZ#1471721) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1445766 - Horizon is not reachable when Horizon service is running on a standalone role 1471721 - 'openstack overcloud update ...' fails when yum is locked on an overcloud node 1478274 - notification_format in nova.conf should be set to unversioned as there is no consumer for versioned 1489360 - CVE-2017-12155 openstack-tripleo-heat-templates: Ceph client keyring is world-readable when deployed by director 1518009 - os-collect-config doesn't start at boot on split stack deployments with pre-provisioned servers 1524422 - OSP10 -> OSP11 upgrade: upgrade fails during 'Setup gnocchi db during upgrade' task because httpd is stopped and Keystone is unreacheable 1546799 - Backport: Fix the dellemc vmax to use the correct hiera name 1547089 - rhel-registration broken with: Failed to validate: resources.NodeExtraConfig: "conditions" is not a valid keyword inside a resource definition' 1547956 - Undercloud / Overcloud Heat stack fails on: YAQL list index out of range (includes upgrades cases) 1548345 - TLS Deployments don't work in Ocata with Pre-Provisioned Nodes 1550167 - validation-scripts/all-nodes.sh wait time verification 1551182 - CVE-2018-1000115 memcached: UDP server support allows spoofed traffic amplification DoS 1552245 - [OSP11] horizon stanza in haproxy.cfg needs tweaking 1567349 - Rebase openstack-tripleo-heat-templates to 9eafa84 1567365 - Rebase puppet-tripleo to a2b0d92 1571436 - "subscription-manager list" shows Ceph OSD after updating overcloud compute nodes 1577957 - Attempting to Deploy RHOSP-11 with NetApp Driver Causes Failure in Overcloud Deploy 6. Package List: Red Hat OpenStack Platform 11.0: Source: openstack-tripleo-heat-templates-6.2.12-2.el7ost.src.rpm puppet-tripleo-6.5.10-3.el7ost.src.rpm noarch: openstack-tripleo-heat-templates-6.2.12-2.el7ost.noarch.rpm puppet-tripleo-6.5.10-3.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-12155 https://access.redhat.com/security/cve/CVE-2018-1000115 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <email@example.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBWv8HS9zjgjWX9erEAQi5mw/9Fy8M8wTzIVaUYoyx5GBseVr4gFSujnvy lgCt6L/HmkYEh1+tnr1W6vZtYgUsHa7VsTNr9omte3fIxCXryJI354vHSC5pi35h 8o8F9NOipNJbBBC7VaDw4oCdPhceLuAPEKNUwZ0J41dOtWO5v0ebQ70YqU8JIGnI xCxR+OQ8rkd9JZVul9ojOAzduGt/eMYr8RNpqV+qkSHh2eWmipZuCA9CZdnSGvJv HOELXr4Fl+O/3AmU0fgeBprH7wOXG2mPvbZZ1FwB7jq4EFTjLHJn4+Lx42X78WDV pr3y9UaIQpZsowcDlJvn2vXTamjUNV2TRaUaMscM26A2EyNnYrH3VXzOEVs9kExD rKsYs1jCvPKKPt3atKTqi/0OOFL2zXRZD+qfBRFCMeOB7Qx06aagxmlYm7MaN+6P CqWSs3nBe3x8ioNBlH7kUsPtazvJEt8BfNxdQrBu0g1k0SOy1pBlcPpT9mBKWlsn Uh0rkdnkTqVQPDhh+Ab2iLLtwnu/7RKM0KrJZnTJpPoTSQSAlfNfKJfknrs/E+UP z9wGSWOWVsm90YK1O+OE1nEvRrfrO7UIbrC1iEKq6jEbWJPQkcBC/Bes/3+6QFTj BOw9O7W9075gGz2ikeVMHcODJeefUQ1ZZsClz1Rrp2wL662jN8h3+XJI1tHN/QR2 cnXlJpcZCTQ= =3Q2q - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWwIYuIx+lLeg9Ub1AQifHA/9Gk+4dHdV70RF0PbxWCeRwa3p9CVcfTH9 sRDH7j1W6gy1BEFUCu+yolNDNAJkj0Lh8uPv92erApjG+f2whlbXEuitC3dRPGjJ db0NPsHdc9KczkecKnARwA2xZyfMH0vcXtqbEc9/DGb+XZMHI9sFF73D5fgp2z+p Y1GpAmNFd6LT6XNoIff+R3ZUMcLaZ1rbPJkJW4HuZnQMwAKwxay/9/UkC/Qw5Z0q fLSAT82igHlydKnBaAJknWBrV1JL2+o2P4DEwukw+xzqEh73fmbsbknoF4mCO3LT OVYC8g9vFgIU6Ku32cmdnSOCV69OJBvZ8TZHIQMw/HVyc/OeacWldhMaGoTzf/X+ ZJZqdKUeL+2qNQnzVfXKsdnTXj3XgD3QGJVnZbP2BzJzMCSwHKOofI6jENDqLYOw nAgYVUTe1cianPs7SeCO5YFKvean+TtYl96z1xhwqhCZqUOqN+OdKPCKxENxb1Jh 14vUz83VJpR7o5NpyIPHvdrKnpX8d1BC0Xx1YXadPDNjXbpIhkjXtcy/pWzwPf42 FVmCAXWakLvQmwXMGxEnMxUjVa8kltzt08MONzHOY1QWMI5yr7s9tyoaOv0mSNLY B/g4o81NELMyHIQNxLOj5AJBY1g0qCacByjfGl0+H+BZ31DokUVd22UfYj0A2oY2 pitFrN9rmHc= =4aTz -----END PGP SIGNATURE-----