-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenStack Platform director security update Advisory ID: RHSA-2018:1593-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2018:1593 Issue date: 2018-05-17 CVE Names: CVE-2017-12155 CVE-2018-1000115 ===================================================================== 1. Summary: An update is now available for Red Hat OpenStack Platform 10.0 (Newton). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 10.0 - noarch 3. Description: Red Hat OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service (IaaS) cloud based on Red Hat OpenStack Platform. Security Fix(es): * A resource-permission flaw was found in the python-tripleo and openstack-tripleo-heat-templates packages where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume. To exploit this flaw, the attacker must have local access to an overcloud node. However by default, access to overcloud nodes is restricted and accessible only from the management undercloud server on an internal network. (CVE-2017-12155) This issue was discovered by Katuya Kawakami (NEC). * It was discovered that the memcached connections using UDP transport protocol can be abused for efficient traffic amplification distributed denial of service (DDoS) attacks. A remote attacker could send a malicious UDP request using a spoofed source IP address of a target system to memcached, causing it to send a significantly larger response to the target. (CVE-2018-1000115) This advisory also addresses the following issues: * This release adds support for deploying Dell EMC VMAX Block Storage backend using the Red Hat OpenStack Platform director. (BZ#1503896) * Using composable roles for deploying Dell SC and PS Block Storage backend caused errors. The backends could only be deploying using 'cinder::config::cinder_config' hiera data. With this update, the composable role support for deploying the Dell SC and PS Block Storage backends is updated. As a result, they can be now deployed using composable roles. (BZ#1552980) * Previously, the iptables rules were managed by the Red Hat OpenStack Platform director and the OpenStack Networking service, which resulted in the rules created by the OpenStack Networking service to persist on to the disk. As a result, the rules that should not be loaded after an iptables restart or a system reboot would be loaded causing traffic issues. With this update, the Red Hat OpenStack Platform director has been updated to exclude the OpenStack Networking rules from '/etc/sysconfig/iptables' when the director saves the firewall rules. As a result, iptables restart or a system reboot should work without causing traffic problems. Note: It might be necessary to perform a rolling restart of the controller nodes to ensure that any orphaned managed neutron rules are no longer reloaded. (BZ#1541528) * OS::TripleO::SwiftStorage::Ports* resources have been renamed to OS::TripleO::ObjectStorage::Port* to ensure standalone Object Storage nodes using the 'ObjectStorage' roles can be deployed correctly. Operators need to modify their custom templates that previously used OS::TripleO::SwiftStorage::Ports* settings. (BZ#1544802) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1414549 - Establish and set sensible defaults for ceilometer data retention period 1489360 - CVE-2017-12155 openstack-tripleo-heat-templates: Ceph client keyring is world-readable when deployed by director 1503896 - [RFE] - Dell-EMC VMAX storage integration with Director 1514532 - Ceilometer event dispatcher misses `gnocchi' 1514842 - Keystone Admin API on external Network down after upgrading to OSP10z6 1517302 - openstack-nova-migration is potentially missing after a minor update 1533602 - Backport: Fix the dellemc vmax to use the correct hiera name 1534540 - [Back-Port request to OSP10] aodh-base.yaml uses hard coded regionOne 1538753 - (OSP10 backport) Deployment templates for unsupported components causing some confusion 1541528 - Changing firewall rules with Director saves copy of all rules into /etc/sysconfig/iptables as part of a stack update with `openstack overcloud deploy` 1543883 - [UPGRADE] Upgrade from 9->10 failed: update_os_net_config: command not found 1544211 - iptables is dropping rules on package update 1544802 - Deployment fails with ERROR: Failed to validate: Failed to validate: resources[0]: The Resource Type (OS::TripleO::SwiftStorage::Ports::ManagementPort) could not be found.", 1545666 - validation-scripts/all-nodes.sh wait time verification 1547091 - rhel-registration broken with: Failed to validate: resources.NodeExtraConfig: "conditions" is not a valid keyword inside a resource definition' 1547957 - Undercloud / Overcloud Heat stack fails on: YAQL list index out of range (includes upgrades cases) 1551182 - CVE-2018-1000115 memcached: UDP server support allows spoofed traffic amplification DoS 1552980 - Errors with heat templates used to deploy Dell EMC SC and PS Cinder backends 1559093 - ceilometer event-list empty with event_dispatchers=gnocchi 1568596 - Rebase openstack-tripleo-heat-templates to f452e67 1568601 - Rebase puppet-tripleo to a2b2df9 1571840 - Attempting to use iptables with ipv6 address/prefix 1576577 - Attempting to Deploy RHOSP-10 with NetApp Driver Causes Failure in Overcloud Deploy 6. Package List: Red Hat OpenStack Platform 10.0: Source: openstack-tripleo-heat-templates-5.3.10-1.el7ost.src.rpm puppet-tripleo-5.6.8-6.el7ost.src.rpm noarch: openstack-tripleo-heat-templates-5.3.10-1.el7ost.noarch.rpm puppet-tripleo-5.6.8-6.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-12155 https://access.redhat.com/security/cve/CVE-2018-1000115 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBWv2ilNzjgjWX9erEAQhsow//VyQR5IsSkQofZLB0+kqpYTsblr8rSKFa 9Eayc1LTO8xUtwyvTRkT96tgI2pmTxfPva3KZM4gm0GsyQfAAfSmtxRBkQGt4MDl tkR7bFjlxtdZZz6n4tOleHqYLPmZSGmn6ROCE9cLH13lmrGzCeCclWCCnQdbf4Mc HE1Qg0Y2pA7jp/S2M4J76LqGc944pnH5IX7MDzLR++IuI8tHS5cltMjY6eI3nJoM IFqvUo9VIQh3XMYI9NFgNLLJso2s4li4CfqhsYgzGP0h1gNMFnfsQ528l+oMlkhJ C4iy0JSSTwnJEHTGObgLOFJupVWxu7Wvq7nYe2qGIbZNudhE6XESGLtRjbvup9H3 aj5KtESmTGMUn7Mzsn5KLL5RVLuHkzaAm5i3LjcIyd9bkOiVKHCSmuFhDGfhb5a0 EJFBIDtoegWoRalUnYITwiHCq1eb+86311pc4sV+LO3kM9jXa0U3iA7WafVAzTdd lH4tZyYl1NbUahm2kKxBOYBF7Qmz8Y26sHrN+B9wRxtDTRYVCrKXFpKS4qzX45n+ MNfI+by0Lybflhy7H7g63pxpKgBpMjVT2kVzMPLX9ToizQ7R8G91FRacoW0MsrOO BTzbF//U/TwWo/ImbuRRMlOOZX01l/bvUKvqRXeju0IqMgPbaKiX/xrbqfoZY+FI N8eFl5BeXk4= =jJ2L -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce