ESB-2017.1619 - [RedHat] openstack-nova and python-novaclient: Access confidential data - Existing account 2017-06-29

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1619
       Moderate: openstack-nova and python-novaclient security, bug
                        fix, and enhancement update
                               29 June 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openstack-nova
                   python-novaclient
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-7214  

Reference:         ESB-2017.1525
                   ESB-2017.1378

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2017:1595

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: openstack-nova and python-novaclient security, bug fix, and enhancement update
Advisory ID:       RHSA-2017:1595-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:1595
Issue date:        2017-06-28
CVE Names:         CVE-2017-7214 
=====================================================================

1. Summary:

An update for openstack-nova and python-novaclient is now available for Red
Hat OpenStack Platform 10.0 (Newton).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenStack 10.0 Tools for RHEL 7 - noarch
Red Hat OpenStack Platform 10.0 - noarch

3. Description:

OpenStack Compute (nova) launches and schedules large networks of virtual
machines, creating a redundant and scalable cloud computing platform.
Compute provides the software, control panels, and APIs required to
orchestrate a cloud, including running virtual machine instances and
controlling access through users and projects.

python-novaclient is the python client for the OpenStack Nova API. The
client's Python API (the novaclient module) and command-line script (nova)
both implement 100% of the OpenStack Nova API.

The following packages have been upgraded to a later upstream version:
python-novaclient (6.0.0), openstack-nova (14.0.6). (BZ#1421265,
BZ#1431802, BZ#1429924, BZ#1454629, BZ#1454630)

Security Fix(es):

* An information exposure issue was discovered in OpenStack Compute's
exception_wrapper.py. Legacy notification exception contexts appearing in
ERROR-level logs could include sensitive information such as account
passwords and authorization tokens. (CVE-2017-7214)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1420880 - libvirt overwrites externally set vlan tags in macvtap passthrough VFs since 2.x so Nova needs to craft the XML to include vlan tag
1421265 - nova-manage db sync broke between RHOSP 9 => RHOSP 10 update
1429924 - Rebase openstack-nova to 14.0.4
1431802 - Rebase openstack-nova to upstream/stable/newton hash b8f209
1434844 - CVE-2017-7214 openstack-nova: Sensitive information included in legacy notification exception contexts
1436266 - Microversion 2.37 break 2.32 usage
1448002 - LibvirtError happens when put instance from pause to active status
1454629 - Rebase openstack-nova to 14.0.5
1454630 - Rebase openstack-nova to 14.0.6

6. Package List:

OpenStack 10.0 Tools for RHEL 7:

Source:
python-novaclient-6.0.0-3.el7ost.src.rpm

noarch:
python-novaclient-6.0.0-3.el7ost.noarch.rpm

Red Hat OpenStack Platform 10.0:

Source:
openstack-nova-14.0.6-2.el7ost.src.rpm
python-novaclient-6.0.0-3.el7ost.src.rpm

noarch:
openstack-nova-14.0.6-2.el7ost.noarch.rpm
openstack-nova-api-14.0.6-2.el7ost.noarch.rpm
openstack-nova-cells-14.0.6-2.el7ost.noarch.rpm
openstack-nova-cert-14.0.6-2.el7ost.noarch.rpm
openstack-nova-common-14.0.6-2.el7ost.noarch.rpm
openstack-nova-compute-14.0.6-2.el7ost.noarch.rpm
openstack-nova-conductor-14.0.6-2.el7ost.noarch.rpm
openstack-nova-console-14.0.6-2.el7ost.noarch.rpm
openstack-nova-migration-14.0.6-2.el7ost.noarch.rpm
openstack-nova-network-14.0.6-2.el7ost.noarch.rpm
openstack-nova-novncproxy-14.0.6-2.el7ost.noarch.rpm
openstack-nova-placement-api-14.0.6-2.el7ost.noarch.rpm
openstack-nova-scheduler-14.0.6-2.el7ost.noarch.rpm
openstack-nova-serialproxy-14.0.6-2.el7ost.noarch.rpm
openstack-nova-spicehtml5proxy-14.0.6-2.el7ost.noarch.rpm
python-nova-14.0.6-2.el7ost.noarch.rpm
python-nova-tests-14.0.6-2.el7ost.noarch.rpm
python-novaclient-6.0.0-3.el7ost.noarch.rpm

OpenStack 10.0 Tools for RHEL 7:

Source:
python-novaclient-6.0.0-3.el7ost.src.rpm

noarch:
python-novaclient-6.0.0-3.el7ost.noarch.rpm

OpenStack 10.0 Tools for RHEL 7:

Source:
python-novaclient-6.0.0-3.el7ost.src.rpm

noarch:
python-novaclient-6.0.0-3.el7ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-7214
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZVBGWXlSAg2UNWIIRAsByAJwOs8YXA61k0c8HAwyQDPeS0xFv9gCghZPE
7MpCIGBIKkrbQRfuNDwuYE8=
=8QZH
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWVQ52ox+lLeg9Ub1AQhVIBAAmvRSlXR02IKgxc1iNXpPGjnYodPUusCk
Xhd94lNCzu2AzF2XsqLWbsT8XVjrm+FsozZaHEhiHRBKZnBLha2Aqt8tKicKvj3s
47W1VinPEPeUnTSD09FmIWS2F7RQj6VKF2XUuK4/4Ktg+sjaH/pdbFRFTyv5AS0M
C99DreLphJC5u0ymfjGv4Hu9HYTfLhN+lASVurALZjniWUb7Sq8qkwBetLBXk+/l
jH/0SRE6LlWgjGtGL/r5oV6z3JCNebEjIf+4sDb8uNi+BATSEPkFltYojPxAjMM3
Iz7iWehIa6yhDBkYpS0Gm089g3fm64ZKe/9BehuaFamcaxDgfnHh9Zd4GaL1XtyG
DkUO3lQQO+NfrrLhj0Dga6gdN/QzKXp12C9JGYx04oCstx/NriVvsd21Ori1djbE
O/+KTDF86BnPQACj+F5IcA3GJNtnbd8FgvSU3j6z+MMSHcD0pWGaUfAfqehY11vI
koID9CH6OoKfbTJBBHn9402kjXoUC9KRzlsFu7U6H9QjTEmDPwq6KMuhJu0LyRIq
6NYZ5Mag2pDHUyOD1CNOylnLi2FK717S0VdcYzgZ0OX9ixlST1x0hsLKx/cp5Kn3
ew9wnPACXbRd8WZH42Vbk07oiDW5oWVxZrcwoSWrV4XxwTlC9OEjvkJPMo7niPfi
SN1stImZ8tY=
=M1Tr
-----END PGP SIGNATURE-----

« Back to bulletins