Red Hat Security Advisory 2015-1862-01 - Red Hat Enterprise Linux OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service cloud based on Red Hat Enterprise Linux OpenStack Platform. A flaw was discovered in the pipeline ordering of OpenStack Object Storage's staticweb middleware in the swiftproxy configuration generated from the openstack-tripleo-heat-templates package. The staticweb middleware was incorrectly configured before the Identity Service, and under some conditions an attacker could use this flaw to gain unauthenticated access to private data.
5ea40faeb29a51d07126fa754ad6aa9ce63c8cee88b0b54a3e88de07ebad322f
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Enterprise Linux OpenStack Platform 7 director update
Advisory ID: RHSA-2015:1862-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2015:1862
Issue date: 2015-10-08
CVE Names: CVE-2015-5271
=====================================================================
1. Summary:
Updated packages that fix one security issue, several bugs, and add various
enhancements are now available for Red Hat Enterprise Linux OpenStack
Platform 7.0 director for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
2. Relevant releases/architectures:
Openstack 7.0 director for RHEL 7 - noarch
3. Description:
Red Hat Enterprise Linux OpenStack Platform director provides the
facilities for deploying and monitoring a private or public
infrastructure-as-a-service (IaaS) cloud based on Red Hat Enterprise Linux
OpenStack Platform.
A flaw was discovered in the pipeline ordering of OpenStack Object
Storage's staticweb middleware in the swiftproxy configuration generated
from the openstack-tripleo-heat-templates package (OpenStack director).
The staticweb middleware was incorrectly configured before the Identity
Service, and under some conditions an attacker could use this flaw to gain
unauthenticated access to private data. (CVE-2015-5271)
This issue was discovered by Christian Schwede and Emilien Macchi of
Red Hat.
This update also fixes numerous bugs and adds various enhancements.
Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux OpenStack Platform 7
Release Notes, linked to in the References section, for information on the
most significant of these changes.
All Red Hat Enterprise Linux OpenStack Platform 7.0 director users are
advised to upgrade to these updated packages, which correct these issues
and add these enhancements.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1223022 - Ceilometer API port not allowed in firewall rules on undercloud
1226376 - Neutron API port not allowed in firewall rules on undercloud
1228862 - Can `openstack undercloud install` have a --force-clean option so an error doesn't require restarting?
1231777 - Its possible to scale up beyond the number of free nodes
1233949 - overcloud horizon apache config doesn't appear to use a network vip
1235320 - Unhelpful failure when incorrect parameters are given
1235325 - "openstack baremetal configure boot" should skip nodes that have maintenance=true
1236136 - All overcloud keystone endpoints get configured with the public IP when using network isolation
1236663 - No output for upload images command
1236707 - undercloud.conf.sample incorrectly states that heat db encryption key can be 8,16, or 32 chars
1237020 - undercloud GUI- Image field is mandatory when setting VM for deploy overcloud
1240260 - introspection timed out for 2 VM nodes
1241199 - openstack baremetal configure boot is not safe to run a second time
1241668 - 'openstack help overcloud deploy' : doesn't cover comments/explanation for all deployment --arguments
1243015 - Overcloud stack name hard-coded
1243032 - Hard-coded reference to instackenv.json
1243062 - On deployment failure, no reason is returned
1243121 - Neutron port quota fails larger overcloud deployments
1243472 - don't save UpdateIdentifier in tuskar when running package update
1243601 - Overcloud deploys default to qemu instead of kvm
1243829 - overcloud image upload creates duplicate images
1244001 - bulk introspection with active nodes fails
1244026 - [RFE] Overcloud nodes deployed by OSP-Director are using DHCP; can they be statically assigned instead?
1244032 - [RFE] Can OSP-Director deploy an HA overcloud which uses a hardware load balancer?
1244856 - openstack overcloud update stack overcloud requires an undocumented argument
1244864 - VXLAN should be default neutron network type
1245212 - rhel-osp-director: Running "ahc-match" on a setup with enabled SSL yields error: ironicclient.openstack.common.apiclient.exceptions.ConnectionRefused: Error communicating with https://[IP]:13385/ [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL
1245714 - set mem overcommit to 1:1
1246596 - Add support for network validation tests
1247015 - openstack undercloud install doesn't create rabbit user if you set custom passwords in undercloud.conf
1247722 - messages report Introspection for one of the nodes 'has timed out' while the command returns ' Discovery completed.'
1248172 - inspection: clean failed with pxe_ilo
1249640 - Installers need to configure tempest with deployment-specific values and export a partial tempest.conf
1250249 - After deploying, system load charts shown on the overview page are incorrect
1250250 - When deploying from UI we miss to add params based on scale logic
1251566 - Undercloud mariadb max_connection default is too low
1252054 - Default deployment through GUI doesn't create cinder v2 service and endpoint
1252219 - ovs bond on controller is not seeing dhcp packet
1252437 - [Discovery] Gathers wrong information about disks available
1252509 - rhel-osp-director: Fail to "openstack overcloud update stack": "ERROR: openstack unexpected end of regular expression"
1252553 - rhel-osp-director: UI: Limited selection for public interface under service configuration.
1253465 - [RFE] Allow for customization of the Ceph pools name and client username
1253628 - external ceph patches break tuskar based deploys
1253777 - HA overcloud deployment argument for NTP server should not be optional
1254897 - Not configuring neutron mechanism drivers in any puppet based deploys
1255910 - overcloud node delete of one compute node removed all of them
1255931 - rhel-osp-director: rhel-osp-director: unable to delete a heat stack deployed with "--rhel-reg --reg-method portal --reg-org <rel-org> --reg-activation-key '<key>'", following a failed attempt to update it with "openstack overcloud update stack --templates
1256477 - ironic ipmitool intermittently timing out causing API requests to process slowly
1257414 - [HA] critical resource constraints missing from pacemaker config make things go kaboom
1257642 - yum hanged infinitely on nova-compute cleanup when do an update
1259393 - [RFE] Add support to register and deploy nodes with fake_pxe
1259905 - Integrate yum updates of overcloud with Puppet
1260736 - missing module python-ironic-inspector-client
1260991 - Running the same deploy command twice results with :"Deployment failed: Not enough nodes - available: 2, requested: 5"
1261045 - Big Switch ML2 networking plugin configuration
1261048 - controllerExtraConfig support
1261067 - Keystone notifications support
1261697 - CVE-2015-5271 openstack-tripleo-heat-templates: unsafe pipeline ordering of swift staticweb middleware
1261921 - updating overcloud stack packages doesn't stop cluster and will cause it to be down
1262059 - Include the bigswitch networking packages in the image by default
1262454 - os-cloud-config: with fake_pxe pm_type in instackenv.json and thus no pm_addr entry, "openstack baremetal import --json instackenv.json" exits with: ERROR: openstack 'pm_addr'
1262995 - osp-d deployment fails on network validation scripts when network-isolation is not enabled.
1265010 - Heat environment is overwritten on overcloud updates
1265777 - No DNS servers set on the overcloud nodes
1266082 - RHEL unregistration doesn't work when scaling down
1266253 - [Director] increase mariadb max_connection default value
1266327 - yum_update.sh fails due to incomplete --excludes list
1266911 - CLI should not force --neutron-tunnel-types if --neutron-disable-tunneling is specified
1267883 - Unable to control the file_descriptors limit for rabbitmq-server via the director.
6. Package List:
Openstack 7.0 director for RHEL 7:
Source:
ahc-tools-0.1.1-6.el7ost.src.rpm
instack-undercloud-2.1.2-29.el7ost.src.rpm
openstack-ironic-discoverd-1.1.0-6.el7ost.src.rpm
openstack-tripleo-common-0.0.1.dev6-3.git49b57eb.el7ost.src.rpm
openstack-tripleo-heat-templates-0.8.6-71.el7ost.src.rpm
openstack-tripleo-image-elements-0.9.6-10.el7ost.src.rpm
openstack-tripleo-puppet-elements-0.0.1-5.el7ost.src.rpm
openstack-tuskar-0.4.18-4.el7ost.src.rpm
openstack-tuskar-ui-0.4.0-3.el7ost.src.rpm
os-cloud-config-0.2.8-7.el7ost.src.rpm
os-net-config-0.1.4-4.el7ost.src.rpm
python-hardware-0.14-7.el7ost.src.rpm
python-proliantutils-2.1.0-4.el7ost.src.rpm
python-rdomanager-oscplugin-0.0.10-8.el7ost.src.rpm
noarch:
ahc-tools-0.1.1-6.el7ost.noarch.rpm
instack-undercloud-2.1.2-29.el7ost.noarch.rpm
openstack-ironic-discoverd-1.1.0-6.el7ost.noarch.rpm
openstack-ironic-discoverd-ramdisk-1.1.0-6.el7ost.noarch.rpm
openstack-tripleo-common-0.0.1.dev6-3.git49b57eb.el7ost.noarch.rpm
openstack-tripleo-heat-templates-0.8.6-71.el7ost.noarch.rpm
openstack-tripleo-image-elements-0.9.6-10.el7ost.noarch.rpm
openstack-tripleo-puppet-elements-0.0.1-5.el7ost.noarch.rpm
openstack-tuskar-0.4.18-4.el7ost.noarch.rpm
openstack-tuskar-ui-0.4.0-3.el7ost.noarch.rpm
os-cloud-config-0.2.8-7.el7ost.noarch.rpm
os-net-config-0.1.4-4.el7ost.noarch.rpm
python-hardware-0.14-7.el7ost.noarch.rpm
python-hardware-doc-0.14-7.el7ost.noarch.rpm
python-ironic-discoverd-1.1.0-6.el7ost.noarch.rpm
python-proliantutils-2.1.0-4.el7ost.noarch.rpm
python-rdomanager-oscplugin-0.0.10-8.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-5271
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/release-notes
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWFsrHXlSAg2UNWIIRAtL2AKCk53FbRIBVvzO+Et6D8mDqXBAt0gCeOa8f
VQYax8tsROCKDKloTgxlz2k=
=otBI
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce