Security Advisory Moderate: openstack-nova security and bug fix update

Advisory: RHSA-2014:0112-1
Type: Security Advisory
Severity: Moderate
Issued on: 2014-01-30
Last updated on: 2014-01-30
Affected Products: Red Hat OpenStack 3.0
CVEs ( CVE-2013-4463


Updated openstack-nova packages that fix two security issues and three bugs
are now available for Red Hat Enterprise Linux OpenStack Platform 3.0.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The openstack-nova packages provide OpenStack Compute (nova), which
provides services for provisioning, managing, and using virtual
machine instances.

It was discovered that enabling "qpid_protocol = ssl" in the nova.conf file
did not result in nova using SSL to communicate to Qpid. If Qpid was not
configured to enforce SSL this could lead to sensitive information being
sent unencrypted over the communication channel. (CVE-2013-6491)

A flaw was found in the way OpenStack Compute controlled the size of disk
images. An authenticated remote user could use malicious compressed qcow2
disk images to consume large amounts of disk space, potentially causing a
denial of service on the OpenStack Compute nodes. (CVE-2013-4463)

Red Hat would like to thank the OpenStack project for reporting
CVE-2013-4463. Upstream acknowledges Bernhard M. Wiedemann of SuSE as the
original reporter of this issue.

This update also fixes the following bugs:

* When using GroupAntiAffinityFilter, the scheduler was not filtering
instances in the group, which could cause an instance to not be scheduled
at all if a group was specified on boot. With this fix, groups are taken
into account and the instance is scheduled as expected. (BZ#1014948)

* If an exchange had not been created previously by a consumer, the
publisher would crash because it could not find the specified exchange.
This resulted from Qpid's direct publisher using the wrong exchange type
'Direct'. With this fix, the exchange type in the publisher has been
changed to 'direct'. (BZ#1042055)

* Unhandled errors in the Qpid consuming thread could kill it silently and
isolate the component from the rest of the system. To fix this, the
consuming thread has been made more resilient to errors by ensuring it does
not die on an unhandled error. Compute now logs the error and retries the
consuming thread. (BZ#1050213)

All openstack-nova users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.


Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

Updated packages

Red Hat OpenStack 3.0

File outdated by:  RHSA-2014:0366
    MD5: a6afd06a0f6573b42d839c3fdc72b5e1
SHA-256: 7acc731375b948950988dcbefff0d3960f18c26211e05fa7870bee38aed0ec75
File outdated by:  RHSA-2014:0366
    MD5: dc51229d262dcb7653b45e57b22a55f2
SHA-256: 1b1ddcae40ff65035fc26b70e8acf833883f73776e4ca02aba0be951c9c44b43
File outdated by:  RHSA-2014:0366
    MD5: 6d2d197e7ac11a74a292fc597d2747dd
SHA-256: 3660f4ab96717e53f3d6e5e5eb1c5e2a09fbcfb2c82c6cb0543806972dcad9be
File outdated by:  RHSA-2014:0366
    MD5: 2c0bcb4e14fd2b207647df4710e96d3e
SHA-256: 5afb283547db399b2576b860e345d8f21ab21ff3a694509b128632639c05c448
File outdated by:  RHSA-2014:0366
    MD5: a5028697bbde8bd78dfee933425306bf
SHA-256: 9cdb8bcd626e3ab44ac81df72c4d05c4618f1887a8829be2b920c530c64ced84
File outdated by:  RHSA-2014:0366
    MD5: a592f62efe4aec217e97bb19fc8f958f
SHA-256: 97ad6d0abecd4ef8504b4d0588083eb058d6eb2bf09ec971824864aee357b4d3
File outdated by:  RHSA-2014:0366
    MD5: b5e90df254c2b26d1e93d345ac9d484d
SHA-256: e0d57a9c9c809ec9a189b619f158149010cf8dca9cc0946315958ae34dd38f44
File outdated by:  RHSA-2014:0366
    MD5: 666c43041a62dd583f1e4791735155e3
SHA-256: fa402abb38ac3d98e92daca5d0514672c9f34a4595b63c319ecbcb4951c5deeb
File outdated by:  RHSA-2014:0366
    MD5: e908e1213a638704f0b96e6190d7005a
SHA-256: b502f5986ce052aa8e008c23dd5d3d89fa4c4876ef557737ab6fd876c3441fbe
File outdated by:  RHSA-2014:0366
    MD5: f6a389c1d49e9498853e23f2943a174e
SHA-256: 14ab71c3a0b13ecbedc339f58b63b9ebffacf09841c816f16f67f0ead8cf3ea3
File outdated by:  RHSA-2014:0366
    MD5: 79fa9d1a7f04ff93670e8fe85276aed3
SHA-256: a043fb84e95d28aa21373d6ce01c412eebaf7e899d7e65d2f431dfa79050425c
File outdated by:  RHSA-2014:0366
    MD5: 6c518a93004bcfcd24310894e81ad5f2
SHA-256: 36fe20d1dad3bf47c46a356eff142b5575cac314749caeaf3d805f82032b0d5b
File outdated by:  RHSA-2014:0366
    MD5: e984eb0f89afa5e67ee27ed954483a1c
SHA-256: 428deba1ea55fb5dc221ad1658b254fd77495595becfc115b97ecc796da490b7
File outdated by:  RHSA-2014:0366
    MD5: f7ffb2faddd311b337016addfacaa3e7
SHA-256: 2cc05d4b1c2cd00eef1f889fe625965c9f9fd6344a997897328c3bbf9c7e8a21
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1014948 - GroupAntiAffinityFilter filters are broken
1023239 - CVE-2013-4463 OpenStack Nova: Compressed disk image DoS
1044562 - booting an instance with swap or ephemeral secondary disks doesn't work
1050213 - Thread consuming qpid messages can die silently
1059504 - CVE-2013-6491 Openstack nova: qpid SSL configuration
996766 - CVE-2013-6491: Setting Qpid SSL protocol sets wrong variable [openstack-3]


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at