Security Advisory Moderate: openstack-swift security update

Advisory: RHSA-2014:0232-1
Type: Security Advisory
Severity: Moderate
Issued on: 2014-03-04
Last updated on: 2014-03-04
Affected Products: Red Hat OpenStack 4.0
CVEs (cve.mitre.org): CVE-2014-0006

Details

Updated openstack-swift packages that fix one security issue are now
available for Red Hat Enterprise Linux OpenStack Platform 4.0.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

OpenStack Object Storage (swift) provides object storage in virtual
containers, which allows users to store and retrieve files (arbitrary
data). The service's distributed architecture supports horizontal scaling;
redundancy as failure-proofing is provided through software-based data
replication. Because Object Storage supports asynchronous eventual
consistency replication, it is well suited to multiple data-center
deployment.

A timing attack flaw was found in the way the swift TempURL middleware
responded to arbitrary TempURL requests. An attacker with knowledge of an
object's name could use this flaw to obtain a secret URL to this object,
which was intended to be publicly shared only with specific recipients, if
the object had the TempURL key set. Note that only setups using the TempURL
middleware were affected. (CVE-2014-0006)

Red Hat would like to thank the Openstack Project for reporting this issue.
Upstream acknowledges Samuel Merritt of SwiftStack as the original
reporter.

All users of openstack-swift are advised to upgrade to these updated
packages, which correct this issue. After installing this update, the
OpenStack Object Storage services will be restarted automatically.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat OpenStack 4.0

SRPMS:
openstack-swift-1.10.0-3.el6ost.src.rpm     MD5: c3b31b8801ea28ab443f58af27b1f0e4
SHA-256: 56131965e3f00d1d58cc3dac00888fdf63b369597f3b11856e64644d57b0f538
 
x86_64:
openstack-swift-1.10.0-3.el6ost.noarch.rpm     MD5: ed26dcd00fca1b07d564ee307451e5db
SHA-256: d0a2e3f87aee88066dde7fcb783b98d0b278a148dacd983830aa14546de0512e
openstack-swift-account-1.10.0-3.el6ost.noarch.rpm     MD5: 94a1a99986a727ad0f28824b3cddc7a6
SHA-256: ba50742aed2c0d2e37b31022b0a6894ce2de9d2a7a859067ad3c4b64d7362eb9
openstack-swift-container-1.10.0-3.el6ost.noarch.rpm     MD5: f553a4109f35f9577393dca6588ed8cc
SHA-256: 5e32cdc9173e289c82b7ef7350780c279ee43f9cddc631d6c5688527335e5d56
openstack-swift-doc-1.10.0-3.el6ost.noarch.rpm     MD5: 125392ca8b55cf89a716b34d93a506d3
SHA-256: a14485cba32d3913e886ac1b25e60c750db0ff0b602b7a30a817b736367b267e
openstack-swift-object-1.10.0-3.el6ost.noarch.rpm     MD5: 4fbd4a00e37d40fb106f890a9c43febe
SHA-256: 379efcd0d3f3f907c5a73ebe16219b3cce8ed1861bd8940d49de42a8077c62c3
openstack-swift-proxy-1.10.0-3.el6ost.noarch.rpm     MD5: a2d8f68989749d769edc96ce04823bcf
SHA-256: 0836bdcea57485373713aa49c030fe4e8a4a1df8f9e06a32d40d7172161032cb
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1051670 - CVE-2014-0006 Openstack Swift: TempURL timing attack


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/