Security Advisory Moderate: openstack-nova security and bug fix update

Advisory: RHSA-2014:0231-1
Type: Security Advisory
Severity: Moderate
Issued on: 2014-03-04
Last updated on: 2014-03-04
Affected Products: Red Hat OpenStack 4.0
CVEs (cve.mitre.org): CVE-2013-6419
CVE-2013-6437
CVE-2013-7048
CVE-2013-7130

Details

Updated openstack-nova packages that fix multiple security issues and
several bugs are now available for Red Hat Enterprise Linux OpenStack
Platform 4.0.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

OpenStack Compute (nova) launches and schedules large networks of virtual
machines, creating a redundant and scalable cloud computing platform.
Compute provides the software, control panels, and APIs required to
orchestrate a cloud, including running virtual machine instances, managing
networks, and controlling access through users and projects.

It was discovered that the metadata agent in OpenStack Networking was
missing an authorization check on the device ID that is bound to a specific
port. A remote tenant could guess the instance ID bound to a port and
retrieve metadata of another tenant, resulting in information disclosure.
Note that only OpenStack Networking setups running neutron-metadata-agent
were affected. (CVE-2013-6419)

It was found that nova used directories that were writable to by all local
users to temporarily store live snapshots. A local attacker with access to
such a directory could use this flaw to read and modify the contents of
live snapshots. (CVE-2013-7048)

A flaw was found in the way the libvirt driver handled short-lived disk
back-up files on Compute nodes. An authenticated attacker could use this
flaw to create a large number of such files, exhausting all available space
on Compute node disks, and potentially causing a denial of service.
Note that only Compute setups using the libvirt driver were affected.
(CVE-2013-6437)

It was discovered that the libvirt driver did not properly handle live
migration of virtual machines. An authenticated attacker could use this
flaw to gain access to a snapshot of a migrated virtual machine. Note that
only setups using KVM live block migration were affected. (CVE-2013-7130)

Red Hat would like to thank the OpenStack Project for reporting
CVE-2013-6419, CVE-2013-6437, and CVE-2013-7130. Upstream acknowledges
Aaron Rosen of VMware as the original reporter of CVE-2013-6419, Phil Day
from HP as the original reporter of CVE-2013-6437, and Loganathan Parthipan
as the original reporter of CVE-2013-7130.

These updated openstack-nova packages have been upgraded to upstream
version 2013.2.2, which provides a number of bug fixes over the previous
version. (BZ#1065317)

Bug fixes:

* The GlusterFS volume connector in nova did not pass a port to libvirt for
the GlusterFS disk specification. Attaching a volume failed with a libvirt
error indicating the port field was missing. This update fixes this bug by
providing the default Gluster port in nova. (BZ#1020979)

* The database back end did not handle the 2013 MySQL error code (Lost
connection). The 2013 MySQL error code has been added to the collection of
known database error codes. (BZ#1060771)

* OpenStack Compute set the smbios product/vendor information to OpenStack
values, which Red Hat Satellite 5 did not recognize when processing
entitlements. (BZ#1059414)

* Prior to this update, nova-api did not pass the absolute path of the
configuration file to the api-paste library if a file with the same name
was found in the current directory. (BZ#1039554)

* The definition of the libvirt_info method in the RBD back-end class was
missing a positional argument that the base class defined. (BZ#1063445)

* Rebooting a host caused all of its instances to stop and change to the
SHUTDOWN power state. The unpause action was only allowed on instances with
the PAUSED power state. (BZ#1047863)

* The previous default of writing zeros over deleted volumes took a
significant amount of time. It is now possible to set a global
configuration setting to clear only a part of a volume, or to disable
clearing completely. Additionally, a new 'shred' capability is available to
overwrite volumes with random data instead of zeros. (BZ#1062377)

* In OpenStack Compute, low-level QPID debug log messages are no longer
shown by default. These previously appeared due to the 'level=debug'
parameter set in the nova.conf file. (BZ#1047849)

All openstack-nova users are advised to upgrade to these updated packages,
which correct these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat OpenStack 4.0

x86_64:
openstack-nova-2013.2.2-2.el6ost.noarch.rpm
File outdated by:  RHBA-2015:0885
    MD5: c43066dbef9ff17b5cbf6013dd16a6c7
SHA-256: 690f8c0d92d9bb342aa84dfbcda3700a3e0f762d4616bece2dcecac01428479f
openstack-nova-api-2013.2.2-2.el6ost.noarch.rpm
File outdated by:  RHBA-2015:0885
    MD5: e8df097dd45797655e1fcd31eb121b5d
SHA-256: aca7fec4884d42eadf60b3c5f107ba97724e7e82851683ad12a3b03cce5cfcb5
openstack-nova-cells-2013.2.2-2.el6ost.noarch.rpm
File outdated by:  RHBA-2015:0885
    MD5: b674fb5ed3eb1f4814cf05672850c57a
SHA-256: 3f2eb80ca0cb71678da4fa26ca88babbd65cef15ac039cfe6c9ac4130e77d044
openstack-nova-cert-2013.2.2-2.el6ost.noarch.rpm
File outdated by:  RHBA-2015:0885
    MD5: 355887910766a44365fd719199e23da1
SHA-256: d8f923ec72cfdd252fdab16aefff44d34198526adbe8641faf82cdeb66a73c6d
openstack-nova-common-2013.2.2-2.el6ost.noarch.rpm
File outdated by:  RHBA-2015:0885
    MD5: d89e5d36db487896ff63a596da0a22aa
SHA-256: 2f8e9ce5999be8fc1ed74af43642447c64340f07185779b0b4d73729b36fcb97
openstack-nova-compute-2013.2.2-2.el6ost.noarch.rpm
File outdated by:  RHBA-2015:0885
    MD5: e82c707f12ac5a9f4fcbe190fcf3867d
SHA-256: 324504d6e079c57e52b8bea84aaece396594aae9fefe5a85150c2038a352ad8c
openstack-nova-conductor-2013.2.2-2.el6ost.noarch.rpm
File outdated by:  RHBA-2015:0885
    MD5: d77607d4be77aa853c69ed15e0ef01b1
SHA-256: 4eb40568d35cbf326fea515373f884c882c2b8e9fc84a0ad870d9566880e5c41
openstack-nova-console-2013.2.2-2.el6ost.noarch.rpm
File outdated by:  RHBA-2015:0885
    MD5: c9f76b6c662285c860215bb01999bfee
SHA-256: 59b38f44049ecd71e5e5fca80b0ca3f300ab10545a11925b6bbb52230374df3e
openstack-nova-doc-2013.2.2-2.el6ost.noarch.rpm
File outdated by:  RHBA-2015:0885
    MD5: 3cd13846578176a5f4c5197f9c50fe57
SHA-256: 71328e940567dda909bb97478dcaf54743171d214e3f4eadec30c311ad9c309a
openstack-nova-network-2013.2.2-2.el6ost.noarch.rpm
File outdated by:  RHBA-2015:0885
    MD5: 6ed4e485fc453f8719be8683792fc5b1
SHA-256: 76549a38892f35530e913eb0d242e0fc334005cb4f5f2affe3a62d2ec2666264
openstack-nova-novncproxy-2013.2.2-2.el6ost.noarch.rpm
File outdated by:  RHBA-2015:0885
    MD5: 1602c8157ec54e39809b489864270ba6
SHA-256: 22d6942f05e2b8da4755850baedeb2eda260f8356a2472fa712ffdf9f02b1061
openstack-nova-objectstore-2013.2.2-2.el6ost.noarch.rpm
File outdated by:  RHBA-2015:0885
    MD5: 523f10c4857d640c4d9427008fb1e88f
SHA-256: 506d0e912c70fc5594c3243b84c50bd91e770c47bf89c5b1fc0caa8eb1e540ad
openstack-nova-scheduler-2013.2.2-2.el6ost.noarch.rpm
File outdated by:  RHBA-2015:0885
    MD5: 351b89e5161cde12b4d65fce1bdf3fb3
SHA-256: 41c19d67b4ed795e1c45a4070aa0777b14c2c16c6d470fa60e23d3ed67fd1754
python-nova-2013.2.2-2.el6ost.noarch.rpm
File outdated by:  RHBA-2015:0885
    MD5: abcabd28ad19752df9651cd9e5328f3d
SHA-256: 22e1b7d3569db21b625d8688dbfac470e331780639fdeb86470212a40e6d492b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1020979 - After configuring cinder for libgfapi, volumes create but do not attach
1039148 - CVE-2013-6419 OpenStack Neutron and Nova: Metadata queries from Neutron to Nova are not restricted by tenant
1039554 - Cannot resolve relative uri 'config:api-paste.ini'; no relative_to keyword argument given
1040786 - CVE-2013-7048 Openstack Nova: insecure directory permissions in snapshots
1043106 - CVE-2013-6437 openstack-nova: DoS through ephemeral disk backing files
1047849 - openstack-nova: remove qpid logs from the compute logs
1047863 - Openstack-Nova: Unpause instance after host reboot fails
1055400 - CVE-2013-7130 OpenStack nova: Live migration can leak root disk into ephemeral storage
1060771 - nova does not read sql db config option
1062377 - RFE: configurable volume clearing options for nova
1065317 - Rebase openstack-nova to 2013.2.2


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/