Security Advisory Important: Red Hat OpenStack Platform director security update

Advisory: RHSA-2017:1242-1
Type: Security Advisory
Severity: Important
Issued on: 2017-05-17
Last updated on: 2017-05-17
Affected Products: Red Hat OpenStack 10.0 for RHEL 7
CVEs (cve.mitre.org): CVE-2017-2637

Details

An update is now available for Red Hat OpenStack Platform 10.0 (Newton).

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Red Hat OpenStack Platform director provides the facilities for deploying and
monitoring a private or public infrastructure-as-a-service (IaaS) cloud based on
Red Hat OpenStack Platform.

Security Fix(es):

* A design flaw issue was found in the Red Hat OpenStack Platform director use
of TripleO to enable libvirtd based live-migration. Libvirtd is deployed by
default (by director) listening on 0.0.0.0 (all interfaces) with
no-authentication or encryption. Anyone able to make a TCP connection to any
compute host IP address, including 127.0.0.1, other loopback interface
addresses, or in some cases possibly addresses that have been exposed beyond the
management interface, could use this to open a virsh session to the libvirtd
instance and gain control of virtual machine instances or possibly take over the
host. (CVE-2017-2637)

A KCS article with more information on this flaw is available at:
https://access.redhat.com/solutions/3022771

This issue was discovered by David Gurtner (Red Hat).


Solution

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

Updated packages

Red Hat OpenStack 10.0 for RHEL 7

SRPMS:
openstack-nova-14.0.3-9.el7ost.src.rpm
File outdated by:  RHSA-2017:1595
    MD5: 1da4e877c57207b6252db11842fe2442
SHA-256: d17d6eb67bf8b6c3c3cc6412c3aa9a512ffc5848e2f4d2829f05fce08904cc6c
openstack-tripleo-common-5.4.1-6.el7ost.src.rpm
File outdated by:  RHBA-2017:1585
    MD5: 0a0a14f369b5627014b11c08db214dd1
SHA-256: 29d5ad3af7edf144eb940f7569a9c6bab029bc5a7ca0cfb2ed86246ea982474e
openstack-tripleo-heat-templates-5.2.0-15.el7ost.src.rpm
File outdated by:  RHBA-2017:1748
    MD5: c407e862fce19a0d99d5d95ea6efb5ca
SHA-256: 8092c5fbd06d3d7170103ff8784738daceeb8e434fd2a3bcaaa7be700eb4fcad
openstack-tripleo-puppet-elements-5.2.0-3.el7ost.src.rpm
File outdated by:  RHBA-2017:1585
    MD5: 6ea67ac18bbf75776cdff4a072bf4b63
SHA-256: 3968c3428a87b3f6b9b1c07ef3693b44618dfbd95c41696689f63f6eb9bf0507
puppet-nova-9.5.0-4.el7ost.src.rpm
File outdated by:  RHBA-2017:1585
    MD5: 2bbf6da60999094f8718bd7ee62b2127
SHA-256: ee1e0a41f3f9ae5f63c452ac22ab317556a7fc3a4aae6f0b95940e57a19d1183
puppet-tripleo-5.5.0-12.el7ost.src.rpm
File outdated by:  RHBA-2017:1585
    MD5: 6ce7f5cae98712f164fe7f1671ccf0dd
SHA-256: 5a36f203f05c37a213fd8548bc636821471520883a183d16baf87d957c5bdcd2
 
x86_64:
openstack-nova-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: 34255bc94051646424318bbd5514a250
SHA-256: ab5850c41840956964dcc762024cfcf2891015c9edefe5098bd59856765511d5
openstack-nova-api-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: 34f9ba393eb33ab22b3f9554674b15e0
SHA-256: dedaad259c71f2b7ff9e654b17bf28df89a929ac1acdecfe80eb0618387f6631
openstack-nova-cells-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: 801a1f02c3206969af52133618ba85b3
SHA-256: f16d66d2dac33a10c0080aaef0ba52b67479c39c39ff68a5ffad60647cf41ea5
openstack-nova-cert-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: fa47ad99cfd46d5110516a8c68c05fa8
SHA-256: 60351be121b3eb97005726d179c0f6e2a93fd34e8a007b5e08aa0b01cb4163b7
openstack-nova-common-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: 5e407690bd2286ed9ca7a49531c5b6d9
SHA-256: 21bfc4edf193f02707b54016c3b0891c7540eece9bc622b1c856cef93043a2e1
openstack-nova-compute-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: 6e2aedb4573eefcc75b1c43f7f295a42
SHA-256: 2cee3e5d21b5f93875fcb89f718380cdd3c05e004376f1aad69840a6fec76e03
openstack-nova-conductor-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: be0cc58cc676b45ffc509c228c47575b
SHA-256: 1a5169f2877832f3385ecabf15c582fa373659fb70bbbdcb307095a331604d43
openstack-nova-console-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: 930e2e19c243cf88748b2c92431f8f04
SHA-256: f3228bc17daba149e2cb6e76f61721b7be2202b8238f7c432f3d4622f6f2b982
openstack-nova-migration-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: 2e74516866e0d60b628faf12dfa4b213
SHA-256: 77a67682b8b129017a999a99f90549c3eee67e9319f38b92f9fa44a53347d676
openstack-nova-network-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: 5e1fe1d7d678e46f0eaa0b219c016fc9
SHA-256: cd6acd9dac1aaaf47ac2821c673652d4e7bcd9930cf03f5a936fe0ce70c98489
openstack-nova-novncproxy-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: 76afa1c5686f433b055d01b5ab252e29
SHA-256: 7f448f42e4e0b5a2a36eb78c879d56dd38a90fe2b1b978c617ecfd99165dcf95
openstack-nova-placement-api-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: b9fdeab4d683ceba1938be01aa616cc0
SHA-256: 0b2ed986fd13be7ad7956bab7b0d0a41901708b6357ba5c8944ea77af7782465
openstack-nova-scheduler-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: 9b1ad891e2e6d004abca0ebe9a5c29bf
SHA-256: 61f1cf9fbf0ad0fee9353c3c022a7d8637dd92e1e72e8e036d5c19d6051ee4ae
openstack-nova-serialproxy-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: ec51e6b099b2ab2c7a9c6653696b3b54
SHA-256: 6c7e82cf134d39ac450dc69ad4e527974c3aa7c7b94aa49d326f0291b2b5581a
openstack-nova-spicehtml5proxy-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: 556de4bf1abb230c9fa05bb2197d55cc
SHA-256: 15454659dc5aa0f991d5f7dbdcef9ea5fe80070af80031cbfa0dc664116b79bd
openstack-tripleo-common-5.4.1-6.el7ost.noarch.rpm
File outdated by:  RHBA-2017:1585
    MD5: 94d4e40bc065caec1a53e79f83602be0
SHA-256: 7c7b412ecd4771febc142e518de63a051107a3eb963b5286513a23b71adfbbaa
openstack-tripleo-heat-templates-5.2.0-15.el7ost.noarch.rpm
File outdated by:  RHBA-2017:1748
    MD5: 37666ef600e92bd6196d4ddea5d1d1b4
SHA-256: 0d2e2a4c7d47eb35e3ec9ca91481c79d50e45ff29060808f3c24277dbe9227c7
openstack-tripleo-puppet-elements-5.2.0-3.el7ost.noarch.rpm
File outdated by:  RHBA-2017:1585
    MD5: 66b7339c1dd5be569648fc1fca434ccf
SHA-256: 324c1c0c0a4bb3aa95292b723ff15c712ff73c6e801b4e1107859b1f8f44a18f
puppet-nova-9.5.0-4.el7ost.noarch.rpm
File outdated by:  RHBA-2017:1585
    MD5: 721624a62735af9c0d03e6c132310ed4
SHA-256: 2c5c4819f94ab564d1e1b511daaec89b74639b8413609dcf2a74e1404554b055
puppet-tripleo-5.5.0-12.el7ost.noarch.rpm
File outdated by:  RHBA-2017:1585
    MD5: 35f716656f41b80daaae33aaa6511f04
SHA-256: 0284ca8fe90acbbd81f2a9a6b86aabeca35abde5443e408e7071c8eff3846b90
python-nova-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: 8ecd51a0f726cc9ea9cfc68775878984
SHA-256: f9a29495944c7f4a797ff67a9493bd9de682e1e95529ac5b847f651311ad88ec
python-nova-tests-14.0.3-9.el7ost.noarch.rpm
File outdated by:  RHSA-2017:1595
    MD5: 9b5f1f22a7e62a96fd4c42faa85e95d9
SHA-256: bb15bc2a1b42657139e9368842c252eded23763fe4c5e18afb806eddfc43c433
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1416228 - rhosp-director: Failed to minor update overcloud - fails before running yum update.
1428017 - Package update fails in the compute node
1428240 - CVE-2017-2637 rhosp-director:libvirtd is deployed with no authentication
1437016 - tripleo client stuck in IN_PROGRESS in overcloud update run
1441982 - [UPDATES] Update of mod_ssl package prevents haproxy from starting
1448062 - Unable to log in via SSH to compute nodes with the heat-admin user


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/