exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2016-2082-01

Red Hat Security Advisory 2016-2082-01
Posted Oct 19, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2082-01 - Red Hat Storage Console is a new Red Hat offering for storage administrators that provides a graphical management platform for Red Hat Ceph Storage 2. Red Hat Storage Console allows users to install, monitor, and manage a Red Hat Ceph Storage cluster. Security Fix: A flaw was found in the way authentication details were passed between rhscon-ceph and rhscon-core. An authenticated, local attacker could use this flaw to recover the cleartext password.

tags | advisory, local
systems | linux, redhat
advisories | CVE-2016-7062
SHA-256 | 3a9748381fe7e0aeef711fb28a1dcb07552bd2e859c93cc001261330adb97920

Red Hat Security Advisory 2016-2082-01

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Storage Console 2 security and bug fix update
Advisory ID: RHSA-2016:2082-01
Product: Red Hat Storage Console
Advisory URL: https://access.redhat.com/errata/RHSA-2016:2082
Issue date: 2016-10-19
CVE Names: CVE-2016-7062
=====================================================================

1. Summary:

An update is now available for Red Hat Storage Console 2 for Red Hat
Enteprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Storage Console Agent 2 - noarch
Red Hat Storage Console Installer 2 - noarch
Red Hat Storage Console Main 2 - noarch, x86_64

3. Description:

Red Hat Storage Console is a new Red Hat offering for storage
administrators that provides a graphical management platform for Red Hat
Ceph Storage 2. Red Hat Storage Console allows users to install, monitor,
and manage a Red Hat Ceph Storage cluster.

Security Fix(es):

* A flaw was found in the way authentication details were passed between
rhscon-ceph and rhscon-core. An authenticated, local attacker could use
this flaw to recover the cleartext password. (CVE-2016-7062)

Bug Fix(es):

* Previously, the PG was calculated on per pool basis instead of cluster
level. With this fix, automatic calculation of PGs is disabled and the Ceph
PG calculator is used to calculate the PG values per OSD to keep the
cluster in healthy state. (BZ#1366577, BZ#1375538)

* Issuing a command to compact its data store during a rolling upgrade
renders the Ceph monitors unresponsive. To avoid this behavior, skip the
command to compact the data store during a rolling upgrade. As a result,
the Ceph monitors are responsive.(BZ#1372481)

* Rolling upgrade fails when a custom cluster name other than 'ceph' is
used and causes the ceph-ansible play to abort. With this fix, include the
flags to indicate the cluster name, defaulting to 'ceph' when unspecified
and the Ansible playbook succeeds with custom cluster names.(BZ#1373919)

* Previously, pools list in Console displayed incorrect storage utilization
and capacity data due to multiple CRUSH hierarchies. With this fix, the
pools list in Console displays the correct storage utilization and capacity
data.(BZ#1358267)

* Previously, the CPU utilization chart displayed only the user processes
CPU utilization and omitted system CPU utilization. With this fix, the CPU
utilization chart displays the combined user and system CPU utilization
percentage.(BZ#1358461)

* A full-duplex channel is available for communication in both directions
simultaneously and hence the effective bandwidth is twice the actual
bandwidth. With this update, this has been modified, and the network
utilization is now calculated properly.(BZ#1366242)

* In the Host list page, incorrect chart data was displayed in utilization
charts. With this fix, the chart displays correct data. (BZ#1358270)

* Previously, Calamari failed to reflect the correct values for OSD status.
With this update, the issue has been fixed and the dashboard displays the
correct, real time OSD status.(BZ#1359129)

* Previously, the text on the Add Storage tab was confusing due to unclear
description regarding the storage type. With this fix, the text has been
updated and a short description about the pools and RBDs is provided to
ensure there is no ambiguity.(BZ#1365983)

* Previously, while importing a cluster with collocated journals, the
journal size used to incorrectly populate in the MongoDB database. With
this fix, the journal size and the journal path is displayed correctly in
the OSD summary of the Host OSDs tab.(BZ#1365998)

* Previously, the clusters list in the console incorrectly depicted IOPS in
units. With this fix, all the IOPS units are removed to correctly show the
IOPS in the numeric count.(BZ#1366048)

* While checking the cluster system performance, the selection of any
elapsed hour range inappropriately displayed tick marks on both the elapsed
hour(s) range. With this fix, the console displays system performance graph
with a tick mark only on the selected elapsed hour(s).(BZ#1366081)

* The journal device details did not synchronize as expected during pool
creation and importing cluster workflows. This behavior is now fixed to
fetch the actual device details for OSD journals and displays as expected
in the UI.(BZ#1342969)

All users of Red Hat Storage Console are advised to upgrade to these
updated packages, which fix these bugs and add this enhancement.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1342969 - OSD journal details provides incorrect journal size
1346379 - Command line parameters exposed (too spurious) as well as passwords shown
1358267 - Wrong size and utilization of pool
1358270 - cpu utilization charts on Host list dashboard doesn't match reported values
1358461 - cpu utilization values reported by RHSC 2.0 are wrong
1358832 - Enable mongodb authentication
1359129 - Bad OSD status
1365983 - [RFE]Very confusing "Add Storage" UI organization
1365998 - Incoherent OSD journal size display in the UI
1366048 - Cluster list window shows incorrect performance unit
1366081 - Cluster Performance Graph Range Selection Popup Broken
1366242 - Network utilization is not calculated properly
1366577 - Wrong calculation of PGs peer OSD leads to cluster in HEALTH_WARN state with explanation "too many PGs per OSD (768 > max 300)"
1366620 - Node initalization fails with "loop" type of disks on node
1371496 - Network utilization doesn't work with SELinux in enforcing mode
1371848 - Installation of ceph-installer failing on RHEL 7.3 because of conflicts with file from package firewalld-filesystem
1372481 - [ceph-ansible] : rolling_update got hung in task 'compress the store as much as possible'
1373919 - [ceph-ansible] : rolling update will fail if cluster name is other than 'ceph'
1375538 - PG count for pool creation is hard set and calculated in a wrong way
1375972 - when cluster is expanded (new machine added), console doesn't warn admin about implications of associated recovery operation
1381681 - CVE-2016-7062 rhscon-ceph: password leak by command line parameter

6. Package List:

Red Hat Storage Console Agent 2:

Source:
rhscon-agent-0.0.19-1.el7scon.src.rpm
rhscon-core-0.0.45-1.el7scon.src.rpm

noarch:
rhscon-agent-0.0.19-1.el7scon.noarch.rpm
rhscon-core-selinux-0.0.45-1.el7scon.noarch.rpm
salt-selinux-0.0.45-1.el7scon.noarch.rpm

Red Hat Storage Console Installer 2:

Source:
ceph-ansible-1.0.5-34.el7scon.src.rpm
ceph-installer-1.0.15-2.el7scon.src.rpm

noarch:
ceph-ansible-1.0.5-34.el7scon.noarch.rpm
ceph-installer-1.0.15-2.el7scon.noarch.rpm

Red Hat Storage Console Main 2:

Source:
rhscon-ceph-0.0.43-1.el7scon.src.rpm
rhscon-core-0.0.45-1.el7scon.src.rpm
rhscon-ui-0.0.60-1.el7scon.src.rpm

noarch:
carbon-selinux-0.0.45-1.el7scon.noarch.rpm
rhscon-core-selinux-0.0.45-1.el7scon.noarch.rpm
rhscon-ui-0.0.60-1.el7scon.noarch.rpm
salt-selinux-0.0.45-1.el7scon.noarch.rpm

x86_64:
rhscon-ceph-0.0.43-1.el7scon.x86_64.rpm
rhscon-ceph-debuginfo-0.0.43-1.el7scon.x86_64.rpm
rhscon-core-0.0.45-1.el7scon.x86_64.rpm
rhscon-core-debuginfo-0.0.45-1.el7scon.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-7062
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYB5BwXlSAg2UNWIIRAkkkAJ92LcTswjdK54hM2sURcdEi0BmkYACeJbAd
4UqOX6RNIRuP3rO30SufWJg=
=K2LI
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close