Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.2768
Moderate: openstack-neutron security and bug fix updates
18 September 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: openstack-neutron
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-14635
Original Bulletin:
https://access.redhat.com/errata/RHSA-2018:2710
https://access.redhat.com/errata/RHSA-2018:2715
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: openstack-neutron security update
Advisory ID: RHSA-2018:2710-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2710
Issue date: 2018-09-17
CVE Names: CVE-2018-14635
=====================================================================
1. Summary:
An update for openstack-neutron is now available for Red Hat OpenStack
Platform 13.0 (Queens).
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenStack Platform 13.0 - noarch
3. Description:
OpenStack Networking (neutron) is a pluggable, scalable, and API-driven
system that provisions networking services to virtual machines. Its main
function is to manage connectivity to and from virtual machines.
Security Fix(es):
* openstack-neutron: A router interface out of subnet IP range results in a
denial of service (CVE-2018-14635)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1607822 - CVE-2018-14635 openstack-neutron: A router interface out of subnet IP range results in a denial of service
6. Package List:
Red Hat OpenStack Platform 13.0:
Source:
openstack-neutron-12.0.3-5.el7ost.src.rpm
noarch:
openstack-neutron-12.0.3-5.el7ost.noarch.rpm
openstack-neutron-common-12.0.3-5.el7ost.noarch.rpm
openstack-neutron-linuxbridge-12.0.3-5.el7ost.noarch.rpm
openstack-neutron-macvtap-agent-12.0.3-5.el7ost.noarch.rpm
openstack-neutron-metering-agent-12.0.3-5.el7ost.noarch.rpm
openstack-neutron-ml2-12.0.3-5.el7ost.noarch.rpm
openstack-neutron-openvswitch-12.0.3-5.el7ost.noarch.rpm
openstack-neutron-rpc-server-12.0.3-5.el7ost.noarch.rpm
openstack-neutron-sriov-nic-agent-12.0.3-5.el7ost.noarch.rpm
python-neutron-12.0.3-5.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2018-14635
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBW5/amdzjgjWX9erEAQj1aw//Zh8VwR3TkdcrggFUxxwEmuNHoy5ikO4o
86IX/PpwISxv9Vl6NEU/QQphofeA1AAMEz23meG+F8SA9J4ViqEa9fsfeNCFTchP
UphcgjKb4zRhoiL27WJKjsYelCaW0SIVkz18l0YKyNxECeywiyOeF9SqZuDhgpqv
zlZAsiF+/57cf5dGVcyp9VDM37mnv0dd8DgYMgJDAci5QhbZX0mZ6M4MUKlUAD8Z
Zxy0kAEPb8ZAs7GyCieo3kV/bUIWS75chTa4dWczJsPKJBXVVrYpWyxFMmAPJM3/
QrUwF99t5DgI2ViXtAhZfP59TVLpGNqBLAH6aUu5UN5jOb/U/L96ehkadErIR/ow
FhRtb1o12gZxq8kIl/yKy7i9MvWkESi/Q6lGHmCGzdmNYv2xm0Ytp6DqUoAVSAE/
+9I30o231ebL3e2fvgrxK35ZqFl4k3dOdxl9/xZO3GCnU0yunL2A6iuKtteXU+4D
Dh8FFop/OQNb6SbYGPV3OlURWwvLLZAksYkNZYtlbIgDqawReQnIN2p1RplJOqBY
OotDSPsH4R8rhrfyRlPkZsiH04nCw2yjekn9S3HiqTQNySVThMz4yD9EwSjrAH8e
hbq0PTg++Qh3AgvzPI+Zv2Gzwk6Thj9LHDZkxY9LW68JBFhJANvIKOeheaJTLEmp
iRGI0wprJ50=
=1B82
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: openstack-neutron security and bug fix update
Advisory ID: RHSA-2018:2715-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2715
Issue date: 2018-09-17
CVE Names: CVE-2018-14635
=====================================================================
1. Summary:
An update for openstack-neutron is now available for Red Hat OpenStack
Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenStack Platform 10.0 - noarch
3. Description:
OpenStack Networking (neutron) is a pluggable, scalable, and API-driven
system that provisions networking services to virtual machines. Its main
function is to manage connectivity to and from virtual machines.
Security Fix(es):
* openstack-neutron: A router interface out of subnet IP range results in a
denial of service (CVE-2018-14635)
For more details about the security issue, including the impact, a CVSS
score, and other related information, refer to the CVE page listed in the
References section.
Bug Fix(es):
* A new configuration option bridge_mac_table_size has been added for the
neutron OVS agent. This value is set on every Open vSwitch bridge managed
by the openvswitch-neutron-agent. The value controls the maximum number of
MAC addresses that can be learned on a bridge. The default value for this
new option is 50,000, which should be enough for most systems. Values
outside a reasonable range (10 to 1,000,000) might be overridden by Open
vSwitch. (BZ#1589031)
* Previously, when a VM was destroyed, the IPv6 lease was not removed from
dnsmasq lease files due to a missing dhcp_release6 binary.
With this update, the dhcp_release6 binary is now provided in an updated
dnsmasq-utils package version. (BZ#1545006)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1404709 - Neutron L3 Agent: AZLeastRoutersScheduler scheduler bug
1511394 - FlushError on IPAllocations when multiple subnets in the same network deleted
1532280 - ovs-vswitchd service hangs with Error too many open files
1545006 - openstack-neutron DHCP agent requires dnsmasq-utils 2.76
1561907 - test_sriov is failing on OSP10
1570908 - Cannot set --no-share on shared network that has floating_ip, gateway AND a tenant port
1575356 - [CI] Issue with addCleanup method causing scenario tests to fail
1576256 - neutron-openvswitch-agent cleans up stale flows months after they were created but it does not recreated correct flows and bridge configuration
1578414 - Sometimes dhcp_release packet isn't reaching dnsmasq process because it's being reloaded
1579400 - Neutron agents attach untagged ports to br-int, which will be trunk port if neutron-openvswitch-agent never handles them
1584845 - Packet loss during standby L3 agent restart
1589031 - The mac table size of neutron bridges (br-tun, br-int, br-*) is too small by default and eventually makes openvswitch explode
1607822 - CVE-2018-14635 openstack-neutron: A router interface out of subnet IP range results in a denial of service
6. Package List:
Red Hat OpenStack Platform 10.0:
Source:
openstack-neutron-9.4.1-28.el7ost.src.rpm
noarch:
openstack-neutron-9.4.1-28.el7ost.noarch.rpm
openstack-neutron-common-9.4.1-28.el7ost.noarch.rpm
openstack-neutron-linuxbridge-9.4.1-28.el7ost.noarch.rpm
openstack-neutron-macvtap-agent-9.4.1-28.el7ost.noarch.rpm
openstack-neutron-metering-agent-9.4.1-28.el7ost.noarch.rpm
openstack-neutron-ml2-9.4.1-28.el7ost.noarch.rpm
openstack-neutron-openvswitch-9.4.1-28.el7ost.noarch.rpm
openstack-neutron-rpc-server-9.4.1-28.el7ost.noarch.rpm
openstack-neutron-sriov-nic-agent-9.4.1-28.el7ost.noarch.rpm
python-neutron-9.4.1-28.el7ost.noarch.rpm
python-neutron-tests-9.4.1-28.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2018-14635
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBW5/b9NzjgjWX9erEAQhAwA/+MyO8MCtJxd8m+n1MjfAIlpkU6MKJOd9b
IL9Q4uRqJch2uE2o0PS5BbjPZ1zRD8757gCobjSs8j99xyLo9lcLeszvBIzXGxY9
znHh5vo4JAfRNwciqBb+pe2SfuE70cP7tKvLw8uL9udcUjX8uCT0g9jpF2Xjae23
ZZr6A7q4a78kwJZXMmOrpjNIAob2AaqdB1Ja0Bhh07VsSg3Yme4mZPhd2gbCbpBN
5/ObuGej8POk+UUIrryRnkqVyL1KKmUpSDK78Z9wwdth1KA0GpJ5MyLPw0q6695K
mSqyaKHrqUG46awWDM420g6WxcN4vH27ssEgcCdYKk0Nn1MMgAnCiXwXYLUsvf/n
cEtNYoShyAxedp0qfOkIk8u41Gx5vnQAUKlgmpoJuNUJEp5gutl468rrvPgrbGW/
kpUO6X0+ksTOT5VgSLF/HXeezPztiQkjp4WT9oTOv59In/ag+9abvmmWSlzRhvlG
/hQeXWG5Lq0NDgCAJ5ISeeNV7sm238kXcknbHiXr3HRQz4LKNukHSGG+r0ICQwFF
Ud/zcnHR8g46cvzaFe1SK+O+OD9Rd/Idzk22nGFH/C/crpMfHF1LnYvG0tebE4Xa
ZMs2E5FF02w+Z/rTeEPkKQAdKi8rvn8KOHGABMrsR9E1qXWViOh8SDQ8npIcWlCM
b3/UV83nYYY=
=SViz
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW6BnCWaOgq3Tt24GAQgCKxAA3HhhqXH718cnyCguUfkPjuLSvnqdPrzU
wSv0dv9v4fwDN3qjzf8Hw9e817Ku0BvIrZmcPnRWpn/T9mn7CTLMorHVphOQHvCx
KQdWcXcELDTaRM9NE+eoL4sZ78O2hhn8UxNeh19vtb7Sf7IkQDing3PvmH7peN03
r7lexkRI3kQz6Ueark3YbhldRvtE/cvci7youpUcIGH5MV8x6LGSKl5l2hByvifA
pFwjNdojDog3G3rQcoHxjhIPc7vm19NigOu4msVhicalHUfE2uRWt1Ei9LGDrUMX
/h1grsxoUaTL9C7FwJ3kRUHMUpLdseU6NcEBDpt0Ot9Ke46P/DXSiJvmDO8d1rnA
EJDwvrY4ZhF6UUZYC1/P06RGg3uPV5z3pGk+v/nR3yKYxd8IZ961huvQRlByDMfK
5q7kiXsVjo/MPZ49UcMUCyYelMSR5+sidlQXwIvXqKpeGbRJtFZ9Vq6M7Jns8Rzy
AYNgwjYpGmbdMVv6yNotokF8Krro8ImuvN/pzxj6Ot4Zj2py7TUW8B7I90AuunRT
//3pk8uZ7AjwxE6izXtxvWLtimTtjBTB/tDvb9Rchl5GkRsApl7qP3YVh2r0Yrz3
1hAc5GeZCXMndRe2IPJxu2SLryzjWdNUeZkk5A2CL/ZMB3GSNZpCihBLGYu2BR3o
sABOZhG7exY=
=EpJ2
-----END PGP SIGNATURE-----