Security Advisory Moderate: openstack-heat security, bug fix, and enhancement update

Advisory: RHSA-2017:1243-1
Type: Security Advisory
Severity: Moderate
Issued on: 2017-05-17
Last updated on: 2017-05-17
Affected Products: Red Hat OpenStack 10.0 for RHEL 7
CVEs ( CVE-2017-2621


An update for openstack-heat is now available for Red Hat OpenStack Platform
10.0 (Newton).

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

OpenStack Orchestration (heat) is a template-driven engine used to specify and
deploy configurations for Compute, Storage, and OpenStack Networking. The
service can be used to automate post-deployment actions, which in turn allows
automated provisioning of infrastructure, services, and applications.
Additionally, Orchestration can be integrated with Telemetry alarms to implement
auto-scaling for certain infrastructure resources.

The following packages have been upgraded to a later upstream version:
openstack-heat (7.0.2). (BZ#1431258)

Security Fix(es):

* An access-control flaw was found in the OpenStack Orchestration (heat) service
where a service log directory was improperly made world readable. A malicious
system user could exploit this flaw to access sensitive information.

Red Hat would like to thank Hans Feldt (Ericsson) for reporting this issue.


For details on how to apply this update, which includes the changes described in
this advisory, refer to:

Updated packages

Red Hat OpenStack 10.0 for RHEL 7

openstack-heat-7.0.2-4.el7ost.src.rpm     MD5: 828baffdb04c5b700f25fe8aed93a7f0
SHA-256: 7d6b3ce9f0fa4520e4c14a8babf7c27bcf9c8db922032b83353f856e160bdb34
openstack-heat-api-7.0.2-4.el7ost.noarch.rpm     MD5: 64494397c9f6ea02b0af7493b79ef6c7
SHA-256: 3c8ef817ffb1a9716a28d1af272fed760dd44744d4cdbd0d54cf47a65d33cbc7
openstack-heat-api-cfn-7.0.2-4.el7ost.noarch.rpm     MD5: 04eeff1d4cf15e6b67f4b558ead21544
SHA-256: 34b0db12aa2aebd98589d2186fed5f112e6764aa4b6b6f1dbda73495b5e577d7
openstack-heat-api-cloudwatch-7.0.2-4.el7ost.noarch.rpm     MD5: f1b29310b22ca3adae111a71c18414f4
SHA-256: 706dd89aaeaba8e530e148956c51f43beaa091a0f4c26d189c251f8d6d761dbc
openstack-heat-common-7.0.2-4.el7ost.noarch.rpm     MD5: 8da690fc2ae63520da90115d89f427ea
SHA-256: 6c908df5fb6f131498e6e04fe12d79fc342400c9c9e7db7cbf167b08bc24373f
openstack-heat-engine-7.0.2-4.el7ost.noarch.rpm     MD5: 291b9acec30868541f642fb75e935eec
SHA-256: 3e818b0888822a2c4e5b37152602610a7fff46ab85a7e0ab8b096c0d2fc50034
python-heat-tests-7.0.2-4.el7ost.noarch.rpm     MD5: 3876e8a9dc3898cdbdcc9d6fae578c1a
SHA-256: 7fa859c11afb62e2a391f866799052e2a0b5f75e47a9c474097db485ffb414de
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1420990 - CVE-2017-2621 openstack-heat: /var/log/heat/ is world readable
1424578 - Heat doesn't inject personality files on rebuild
1424886 - Password written in clear text in heat-api.log with DEBUG mode [openstack-10]
1428632 - OpenStack Heat may fail to connect keystone admin API in multi-region environment
1428877 - [UPDATES] ERROR: The "pre-update" hook is not defined on SoftwareDeployment "UpdateDeployment"
1431258 - Rebase openstack-heat to stable/newton hash 6533b3d


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at