Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[RHSA-2017:0282-01] Moderate: openstack-cinder, openstack-glance, and openstack-nova security update

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: openstack-cinder, openstack-glance, and openstack-nova security update

Advisory ID: RHSA-2017:0282-01

Product: Red Hat Enterprise Linux OpenStack Platform

Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0282.html

Issue date: 2017-02-15

CVE Names: CVE-2015-5162

=====================================================================

 

1. Summary:

 

An update for openstack-nova, openstack-cinder, openstack-glance, and

python-oslo-concurrency is now available for Red Hat Enterprise Linux

OpenStack Platform 7.0 (Kilo) for RHEL 7.

 

Red Hat Product Security has rated this update as having a security impact

of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

gives a detailed severity rating, is available for each vulnerability from

the CVE link(s) in the References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 - noarch

 

3. Description:

 

The Oslo concurrency library has utilities for safely running multi-thread,

multi-process applications using locking mechanisms, and for running

external processes.

 

OpenStack Compute (nova) launches and schedules large networks of virtual

machines, creating a redundant and scalable cloud computing platform.

Compute provides the software, control panels, and APIs required to

orchestrate a cloud, including running virtual machine instances and

controlling access through users and projects.

 

OpenStack Image Service (glance) provides discovery, registration, and

delivery services for disk and server images. The service provides the

ability to copy or snapshot a server image, and immediately store it away.

Stored images can be used as a template to get new servers up and running

quickly and more consistently than installing a server operating system and

individually configuring additional services.

 

OpenStack Block Storage (cinder) manages block storage mounting and the

presentation of such mounted block storage to instances. The backend

physical storage can consist of local disks, or Fiber Channel, iSCSI, and

NFS mounts attached to Compute nodes. In addition, Block Storage supports

volume backups, and snapshots for temporary save and restore operations.

Programmatic management is available via Block Storage's API.

 

Security Fix(es):

 

* A resource vulnerability in the OpenStack Compute (nova), Block Storage

(cinder), and Image (glance) services was found in their use of qemu-img.

An unprivileged user could consume as much as 4 GB of RAM on the compute

host by uploading a malicious image. This flaw could lead possibly to host

out-of-memory errors and negatively affect other running tenant instances.

oslo.concurrency has been updated to support process limits ('prlimit'),

which is needed to fix this flaw. (CVE-2015-5162)

 

This issue was discovered by Richard W.M. Jones (Red Hat).

 

Bug Fix(es):

 

* qemu-img calls were unrestricted by ulimit. oslo.concurrency has been

updated to add support for process limits ('prlimit'), which is needed to

fix the CVE-2015-5162 security vulnerability. (BZ#1383415)

 

4. Solution:

 

For details on how to apply this update, which includes the changes

described in this advisory, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1268303 - CVE-2015-5162 openstack-nova/glance/cinder: Malicious image may exhaust resources

1316791 - Instance was deleted successfully without detaching its volume, if nova-compute was killed during running "nova delete"

1349005 - cinder volume backup throws UnicodeDecodeError: 'ascii' and access denied

1365899 - Missing dependency of python-oslo-log and python-oslo-policy in openstack-cinder

1370598 - multipathd segfault during volume attach

1378906 - nova-scheduler fails to start because of the too big nova database

1380289 - [backport] Block based migration doesn't work for instances that have a volume attached

1381533 - Multi-Ephemeral instance Live Block Migration fails silently

1383415 - [CVE-2015-5162] oslo.concurrency: Backport support for 'prlimit' parameter [OSP-7]

1386268 - NetApp Cinder driver: cloning operations are unsuccessful

1391970 - [tempest] test_delete_attached_volume fails in RHOS7

1394964 - Live migration with config-drive fails with InvalidSharedStorage error

1399760 - rbd snapshot delete fails if backend is missing file

1409820 - Creating Encrypted Volumes with Cinder(Ceph backend) gives false positive

1410046 - Multiple attempts made to delete iSCSI multipath path devices

1416884 - [7.0.z] nova creates an invalid ethernet/bridge interface definition in virsh xml

1420451 - revert Use stashed volume connector in _local_cleanup_bdm_volumes from openstack-nova-2015.1.4-28.el7ost

 

6. Package List:

 

Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7:

 

Source:

openstack-cinder-2015.1.3-12.el7ost.src.rpm

openstack-glance-2015.1.2-3.el7ost.src.rpm

openstack-nova-2015.1.4-32.el7ost.src.rpm

python-oslo-concurrency-1.8.2-2.el7ost.src.rpm

 

noarch:

openstack-cinder-2015.1.3-12.el7ost.noarch.rpm

openstack-cinder-doc-2015.1.3-12.el7ost.noarch.rpm

openstack-glance-2015.1.2-3.el7ost.noarch.rpm

openstack-glance-doc-2015.1.2-3.el7ost.noarch.rpm

openstack-nova-2015.1.4-32.el7ost.noarch.rpm

openstack-nova-api-2015.1.4-32.el7ost.noarch.rpm

openstack-nova-cells-2015.1.4-32.el7ost.noarch.rpm

openstack-nova-cert-2015.1.4-32.el7ost.noarch.rpm

openstack-nova-common-2015.1.4-32.el7ost.noarch.rpm

openstack-nova-compute-2015.1.4-32.el7ost.noarch.rpm

openstack-nova-conductor-2015.1.4-32.el7ost.noarch.rpm

openstack-nova-console-2015.1.4-32.el7ost.noarch.rpm

openstack-nova-doc-2015.1.4-32.el7ost.noarch.rpm

openstack-nova-network-2015.1.4-32.el7ost.noarch.rpm

openstack-nova-novncproxy-2015.1.4-32.el7ost.noarch.rpm

openstack-nova-objectstore-2015.1.4-32.el7ost.noarch.rpm

openstack-nova-scheduler-2015.1.4-32.el7ost.noarch.rpm

openstack-nova-serialproxy-2015.1.4-32.el7ost.noarch.rpm

openstack-nova-spicehtml5proxy-2015.1.4-32.el7ost.noarch.rpm

python-cinder-2015.1.3-12.el7ost.noarch.rpm

python-glance-2015.1.2-3.el7ost.noarch.rpm

python-nova-2015.1.4-32.el7ost.noarch.rpm

python-oslo-concurrency-1.8.2-2.el7ost.noarch.rpm

python-oslo-concurrency-doc-1.8.2-2.el7ost.noarch.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2015-5162

https://access.redhat.com/security/updates/classification/#moderate

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2017 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFYpN4FXlSAg2UNWIIRAnS3AJwIUCsmeX5Dt73NZfzTmBcsVlzyiQCfYwrR

s8VLQ4vomotJDGMJCDHoig8=

=OhaY

-----END PGP SIGNATURE-----

 

 

--

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×