what you don't know can hurt you

Red Hat Security Advisory 2018-1627-01

Red Hat Security Advisory 2018-1627-01
Posted May 19, 2018
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2018-1627-01 - Red Hat OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service cloud based on Red Hat OpenStack Platform. Issues addressed include a denial of service vulnerability.

tags | advisory, denial of service
systems | linux, redhat
advisories | CVE-2017-12155, CVE-2018-1000115
MD5 | 17a3f479b89469df7ad5d266a74434a3

Red Hat Security Advisory 2018-1627-01

Change Mirror Download
Hash: SHA256

Red Hat Security Advisory

Synopsis: Moderate: Red Hat OpenStack Platform director security update
Advisory ID: RHSA-2018:1627-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2018:1627
Issue date: 2018-05-18
CVE Names: CVE-2017-12155 CVE-2018-1000115

1. Summary:

An update is now available for Red Hat OpenStack Platform 11.0 (Ocata).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 11.0 - noarch

3. Description:

Red Hat OpenStack Platform director provides the facilities for deploying
and monitoring a private or public infrastructure-as-a-service (IaaS) cloud
based on Red Hat OpenStack Platform.

Security Fix(es):

* A resource-permission flaw was found in the python-tripleo and
openstack-tripleo-heat-templates packages where
ceph.client.openstack.keyring is created as world-readable. A local
attacker with access to the key could read or modify data on Ceph cluster
pools for OpenStack as though the attacker were the OpenStack service, thus
potentially reading or modifying data in an OpenStack Block Storage volume.

To exploit this flaw, the attacker must have local access to an overcloud
node. However by default, access to overcloud nodes is restricted and
accessible only from the management undercloud server on an internal
network. (CVE-2017-12155)

This issue was discovered by Katuya Kawakami (NEC).

* It was discovered that the memcached connections using UDP transport
protocol can be abused for efficient traffic amplification distributed
denial of service (DDoS) attacks. A remote attacker could send a malicious
UDP request using a spoofed source IP address of a target system to
memcached, causing it to send a significantly larger response to the
target. (CVE-2018-1000115)

This update also includes the following bug fixes and enhancements:

* Prior to this update, when removing the ceph-osd RPM from overcloud nodes
that do not require the package, the corresponding Ceph OSD product key was
not removed. Consequently, the subscription-manager would incorrectly
report that the Ceph OSD product was still installed.
With this update, the script that handles removal of the ceph-osd RPM now
also removes the Ceph OSD product key. Note: The script that removes the
RPM and product key executes only during the overcloud update procedure;
the product key is removed only when the overcloud node is updated.
As a result, after removing the ceph-osd RPM, the subscription-manager no
longer reports the Ceph OSD product is installed. (BZ#1571436)

* Previously, there were errors in the director Heat template that
configures the VMAX Cinder backend driver. Consequently, the VMAX driver
would not function correctly. With this update, the errors have been
corrected, and the VMAX driver functions correctly. (BZ#1546799)

* This enhancement adds director support for deploying the Dell EMC VMAX
cinder backend. (BZ#1546793)

* In this enhancement, if a minor update is blocked by an existing yum
process that prevents the package update, the process should exit with an
appropriate error message. This was added because the minor update may
appear to freeze, due to yum waiting for the existing yum.pid to exit; when
it eventually fails it is not immediately clear why. As a result, if there
is an existing yum process preventing the package update, then the minor
update fails with a clear message to indicate this: "ERROR existing yum.pid
detected - can't continue! Please ensure there is no other package update
process for the duration of the minor update worfklow. Exiting".

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:


5. Bugs fixed (https://bugzilla.redhat.com/):

1445766 - Horizon is not reachable when Horizon service is running on a standalone role
1471721 - 'openstack overcloud update ...' fails when yum is locked on an overcloud node
1478274 - notification_format in nova.conf should be set to unversioned as there is no consumer for versioned
1489360 - CVE-2017-12155 openstack-tripleo-heat-templates: Ceph client keyring is world-readable when deployed by director
1518009 - os-collect-config doesn't start at boot on split stack deployments with pre-provisioned servers
1524422 - OSP10 -> OSP11 upgrade: upgrade fails during 'Setup gnocchi db during upgrade' task because httpd is stopped and Keystone is unreacheable
1546799 - Backport: Fix the dellemc vmax to use the correct hiera name
1547089 - rhel-registration broken with: Failed to validate: resources.NodeExtraConfig: "conditions" is not a valid keyword inside a resource definition'
1547956 - Undercloud / Overcloud Heat stack fails on: YAQL list index out of range (includes upgrades cases)
1548345 - TLS Deployments don't work in Ocata with Pre-Provisioned Nodes
1550167 - validation-scripts/all-nodes.sh wait time verification
1551182 - CVE-2018-1000115 memcached: UDP server support allows spoofed traffic amplification DoS
1552245 - [OSP11] horizon stanza in haproxy.cfg needs tweaking
1567349 - Rebase openstack-tripleo-heat-templates to 9eafa84
1567365 - Rebase puppet-tripleo to a2b0d92
1571436 - "subscription-manager list" shows Ceph OSD after updating overcloud compute nodes
1577957 - Attempting to Deploy RHOSP-11 with NetApp Driver Causes Failure in Overcloud Deploy

6. Package List:

Red Hat OpenStack Platform 11.0:



These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    22 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    2 Files
  • 23
    Jun 23rd
    1 Files
  • 24
    Jun 24th
    23 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By