Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2552
Important: openstack-ironic-inspector security update
11 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: openstack-ironic-inspector
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-10141
Reference: ESB-2019.2428
Original Bulletin:
https://access.redhat.com/errata/RHSA-2019:1722
https://access.redhat.com/errata/RHSA-2019:1734
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: openstack-ironic-inspector security update
Advisory ID: RHSA-2019:1722-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2019:1722
Issue date: 2019-07-09
CVE Names: CVE-2019-10141
=====================================================================
1. Summary:
An update for openstack-ironic-inspector is now available for Red Hat
OpenStack Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenStack Platform 10.0 - noarch
3. Description:
OpenStack Bare Metal (ironic) is a tool used to provision bare metal (as
opposed to virtual) machines. It leverages common technologies such as PXE
boot and IPMI to cover a wide range of hardware. It also supports pluggable
drivers to allow added, vendor-specific, functionality.
Security Fix(es):
* openstack-ironic-inspector: SQL Injection vulnerability when receiving
introspection data (CVE-2019-10141)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1711722 - CVE-2019-10141 openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data
6. Package List:
Red Hat OpenStack Platform 10.0:
Source:
openstack-ironic-inspector-4.2.2-6.el7ost.src.rpm
noarch:
openstack-ironic-inspector-4.2.2-6.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-10141
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXSWt0tzjgjWX9erEAQgUBRAAi3iIeWYRfLy1EuMNaLoHAy0yV78miaup
gEYs5CNeVwcswhjZVm6m7d5uWSOLB34Ml8IkQ3AFNpbxWwjRxr2fcNJG1G6BG5+G
5EAJeOiWgctS3TmHwJPjDQPBMOgdaYX/SOcbj/pEcrhrrrNpZwAqL7WtEpDsylhr
tCLlR34OZrHt0igMNfLtoa0X6Z9TMtmuZA0zz0GBryEiKC2gaFqr7ASZEUX737fn
o/e49fG1w3G4U9mgzYXc00Ei0pmjq2WIUpRs91LPnmoHHCj0NuZM+mdHHhMs9wpU
ZdGg4bOaD5tgk7/eLfySY0cjxUhPjPmtVEewNnSEU8wjE4kxfb3kYZ8LrReo5JEf
04sKaujvEA7vOvTQ9TF/xxlTMzxnej1K61jO7iQh+sUM9StLhzcVQeuFcvZy5eHJ
WzHc1n3wlw9X3z4CtIuE6nsdhaIEkvmRIi3wDFfDh44m+hPu80Ty+9exdImpJGWN
RK1kMKcUDnsUuQh0e919zXjqgtuEahNUuTQqbxcO4hoSQ9z5MdIgqI5/m0imOGGb
No0fsgkQm/jr7/3l62loiw/QYGR5ktf4TiPUJP/6jBoynPXbmagVLV+79RJ/1X7t
EtPcePE8qc6SDtlNyp6Ek32i6VvM5f8tdtL8KXdG2WpKSTcLq42g397Ipdbv86k0
KBWRwPZ3Pqw=
=BHpr
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: openstack-ironic-inspector security update
Advisory ID: RHSA-2019:1734-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2019:1734
Issue date: 2019-07-10
CVE Names: CVE-2019-10141
=====================================================================
1. Summary:
An update for openstack-ironic-inspector is now available for Red Hat
OpenStack Platform 13.0 (Queens).
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenStack Platform 13.0 - noarch
3. Description:
ironic-inspector is an auxiliary service for discovering hardware
properties for a node managed by Ironic. Hardware introspection or hardware
properties discovery is a process of getting hardware parameters required
for scheduling from a bare metal node, given its power management
credentials (e.g. IPMI address, user name and password).
Security Fix:
* openstack-ironic-inspector: SQL Injection vulnerability when receiving
introspection data (CVE-2019-10141)
For more details about the security issue, including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1711722 - CVE-2019-10141 openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data
1717086 - Rebase openstack-ironic-inspector to 7.2.4
6. Package List:
Red Hat OpenStack Platform 13.0:
Source:
openstack-ironic-inspector-7.2.3-3.el7ost.src.rpm
noarch:
openstack-ironic-inspector-7.2.3-3.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-10141
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXSXikNzjgjWX9erEAQhuzQ/+JlRXpZWPUKdqTZtovs4BG9r14rS3O9a8
pR/K/qiBDzKlz/qxO6HASWE3lwm8EbbXgsBjq/8+Qrc7iv9TMtMTgeCXa3iz8AJ6
x8dG8Yqwl8BeZMIuafiVG4qkurkxbErXHl/Doin/Guq2hpHfxYNhi/yJwoRs6wJZ
5uD///GyVmpug3vYtzaFfUzLZ+wJGVyMNoaKW4aaP9X6cDnlfpmV4rh/l1XXITDz
QWtsBygcWf4X617Mmrlo4ug/KQwhruqEvqATpQMDjKWyFgheGtGV6CdaEeyq12q+
zP4kL70Vjbv6XrLuGJ0HP1hN2tV6XHIL7T2OUpg1J4PhcT6MVHPzjOizu9cBVWh2
IZpIMN9hKnBBQ+lgBpIcye1VKX+TcFpLVdM2cZVjEoOl9R/qtgUvR8pyMYccaC8E
ElPX3/MHeJKiF0MzsvucGqmt1pzL+1z8Y2ebWFG1yFLXv9ba6Jl0d6UL/lH5elyg
N7u/kNsP2FyVCtboF2IBEfG86k+9N4ktp0lOJ+qmoHA0e8HH5ZxcwpoEuJASu7Uj
jif+woB2vyHveRlo28g3bqmm9Tj0rN++mXEBrcq42cDixuqJadKY9AiNd+Xjgxna
m37WhItd78gzxKqBeVAeNnslFcxKtGvBkYs3tyTS45GR10vyx+g/+b9yr7Lgdti9
Xx4TsPPfpBo=
=jklW
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXSa/Q2aOgq3Tt24GAQhbThAA1HNTUl4PkE09qGkn7CnsGQ/By+ARE9X4
oIDdZ89oCEhTxFj/iG7gL4NULMiVEF3F1yYZDgBS3gyt3yRCz7ueCY+cvy2n7sPF
evYJUJ+onfgG+2jJgSjCllgsAFqiVPGh802tgsFeVxv9MHEanib/09UuZFiVP61r
NULa95vuaWigJxWp5VRamZ3LHTvK7x2Mgg2L1fWXJbuNAY3Uf/Cva+c7qiehJUan
i2zPmUvutfETh55eUdKSstpZxIdGWj3rR+QDsfz1fLK2Yh6Q0adEO5n1wduASD10
K3a6Yo6tkC/FcwkaOv8kyIPXFowrhDW/G1yW26p3aZgFo2jbN2ny5fACMC1WNMx7
bHtXHtRWZh9JnzBq7TQ0DSN4SWGSrKJdAyTs9KZfRsyP+dq+1iLSNKAjN/W38cHw
DdZs2bQkW7Axq4gCpYMCbi34olHMLEIWOnmhmKebgekz2ZRqSztwA0BbCFEND/bD
Bf9K/ZCsOBqcHkBhvM2rWNUvSp1N4A5io8tVWMw1Rd6rcXjA7ob3HdeaGU4nmRNm
JvpErgEj81sBHq8o7VuqiRrASKQCJHyGmrPjp4ZBlxjCj0PqAwmtLDuuxS3sJn+w
OHbBI9OmH2q56t8hTk8lGpCwWt8L4BPh3Rx00tFpIlS9ZOGEgtlf/GHKqv1aOCx/
ZRQiJzw3G5c=
=m/2K
-----END PGP SIGNATURE-----