ESB-2018.0925 - [Linux][RedHat] openstack-tripleo-common and openstack-tripleo-heat-templates: Modify arbitrary files - Existing account 2018-03-29

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0925
                  Moderate: openstack-tripleo-common and
                  openstack-tripleo-heat-templates update
                               29 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openstack-tripleo-common
                   openstack-tripleo-heat-templates
Publisher:         Red Hat
Operating System:  Red Hat
                   Linux variants
Impact/Access:     Modify Arbitrary Files -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-12155  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:0602

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running openstack-tripleo-common or openstack-tripleo-heat-templates
         check for an updated version of the software for their operating 
         system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: openstack-tripleo-common and openstack-tripleo-heat-templates update
Advisory ID:       RHSA-2018:0602-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:0602
Issue date:        2018-03-28
CVE Names:         CVE-2017-12155 
=====================================================================

1. Summary:

An update for openstack-tripleo-common and openstack-tripleo-heat-templates
is now available for Red Hat OpenStack Platform 12.0 (Pike).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 12.0 - noarch

3. Description:

openstack-tripleo-common contains the python library for code common to the
Red Hat OpenStack Platform director CLI and GUI (codename tripleo).

openstack-tripleo-heat-templates is a collection of OpenStack Orchestration
templates and tools (codename heat), which can be used to help deploy
OpenStack.

Security Fix(es):

* openstack-tripleo-heat-templates: Ceph client keyring is world-readable
when deployed by director (CVE-2017-12155)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank Katuya Kawakami (NEC) for reporting this issue.

Bug Fix(es):

* All Compute and Controller nodes have bridge-mappings configured and
therefore are eligible to schedule routers. However, if you scheduled a
router on a Compute node that doesn't have a connection to an external
network, connectivity with the external network fails. This fix adds the
ability to configure bridge-mappings in TripleO and in the director
according to roles so that you can now exclude Compute nodes from router
scheduling and maintain external network connectivity. (BZ#1510879)

* Previously, the CephPools parameter value was incorrectly consumed as a
string list instead of as a JSON object. This prevented creating additional
Ceph pools during the overcloud deployment, because attempting to pass a
JSON object failed. This fix updates the CephPools parameter so that it now
accepts any JSON object that describes additional pools to create in the
Ceph cluster. Note: The JSON object structure must conform to ceph-ansible
conventions. (BZ#1516389)

* There is currently a known issue with LDAP integration for Red Hat
OpenStack Platform. The `keystone_domain_confg` tag is missing currently
from `keystone.yaml`, preventing Puppet from properly applying the required
configuration files. Consequently, LDAP integration with Red Hat OpenStack
Platform will not be properly configured. As a workaround, you must
manually edit `keystone.yaml` and add the missing tag. There are two ways
to do this:

1. Edit the file directly:
  a. Log into the undercloud as the stack user.
  b. Open the keystone.yaml in the editor of your choice. For example:
       `sudo vi
/usr/share/openstack-tripleo-heat-templates/docker/services/keystone.yaml`
  c. Append the missing puppet tag, `keystone_domain_confg`, to line 94.
For example:
      `puppet_tags: keystone_config`
        Changes to:
      `puppet_tags: keystone_config,keystone_domain_confg`
  d. Save and close `keystone.yaml`.
  e. Verify you see the missing tag in the `keystone.yaml` file. The
following command should return '1':
    `cat
/usr/share/openstack-tripleo-heat-templates/docker/sercies/keystone.yaml |
grep 'puppet_tags: keystone_config,keystone_domain_config' | wc -l`

2. Or, use sed to edit the file inline:
  a. Login to the undercloud as the stack user.
  b. Run the following command to add the missing puppet tag:
     `sed -i 's/puppet_tags\: keystone_config/puppet_tags\:
keystone_config,keystone_domain_config/'
/usr/share/openstack-tripleo-heat-templates/docker/services/keystone.yaml`
  c. Verify you see the missing tag in the keystone.yaml file The following
command should return '1':
    `cat
/usr/share/openstack-tripleo-heat-templates/docker/sercies/keystone.yaml |
grep 'puppet_tags: keystone_config,keystone_domain_config' | wc -l`
(BZ#1519057)

* It is only possible to deploy Ceph storage servers if their disk devices
are homogeneous. (BZ#1520004)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1301534 - The gateway_ip attribute for the isolated networks are not accurate
1433534 - [RFE] [OVN] HA support for OVN ovn-northd
1489360 - CVE-2017-12155 openstack-tripleo-heat-templates: Ceph client keyring is world-readable when deployed by director
1507888 - Deployment with ceph and TLS everywhere fails with: "WorkflowTasks_Step2_Execution: ERROR "cannot stat '/var/run/ceph/ceph-mon.overcloud-controller-2.asok': No such file or directory""
1508601 - Add NetIpMap to hieradata for *ExtraConfig overrides (Composable Networks)
1519765 - containerized HA rabbitmq stops on re-deploy if lsns fails
1523272 - OSP10->11->12 upgrade:  major-upgrade-composable-steps-docker.yaml fails with Error: Evaluation Error: Error while evaluating a Function Call, Could not find class ::panko
1523707 - [UPDATES] PCS managed containers ain't restarted with latest images
1528755 - ConfigDebug setting does not work for docker init bundles
1533097 - CephPools parameter does not add CephX permission for openstack user
1533468 - capabilities-map.yaml references wrong environment files for ceph services
1533875 - Using the Telmetry Role with Ceph/RBD as gnocchi backend Fails in step 4 of the Deployment
1537725 - Deployment templates for unsupported components causing some confusion
1538828 - standalone Telemetry.yaml role has wrong services and typo
1538875 - mysql_init_bundle container doesn't fail deployment if puppet fails
1539090 - Cinder backups fail when running in a container (non-HA)
1542537 - tox -epep8 fails with ERROR: Generated roles file not match
1543641 - Cinder HA and non-HA containers are not configured the same
1546234 - Rebase openstack-tripleo-heat-templates to 7.0.9
1546807 - [OSP12] After a minor update the swift_rsync container was in restarting state
1547955 - Undercloud / Overcloud Heat stack fails on: YAQL list index out of range (includes upgrades cases)
1551137 - Queue versioned_notifications.info not found
1551461 - [UPDATES] Failed to setup heat-output: refusing to convert between directory and link for /var/log/containers/swift
1552466 - docker_puppet_apply.sh has a fatal typo
1558639 - Collectd not re-using /var/run directory  from overcloud node therefor ovs plugin fails to connect to db.sock of openswitch.

6. Package List:

Red Hat OpenStack Platform 12.0:

Source:
openstack-tripleo-heat-templates-7.0.9-8.el7ost.src.rpm

noarch:
openstack-tripleo-heat-templates-7.0.9-8.el7ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-12155
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFau84VXlSAg2UNWIIRAk5OAJ912PmETLFITLgnM/OniepSERyWvACfWCmj
hsFDLkLErcQNYFMUT80VIqc=
=a7WB
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWrxcMox+lLeg9Ub1AQhBng/8CzwlVtpedegyTj72hDKNaB5gU/SBe29h
qVrE2TuXR+qlI3DO4fo1AcBHOGpnKDYlIjaIqeBAr+c2j6KMsu1Rh/e+T+qS0I4x
llq/mkZzYjhesMORg0qm7AGHlx2daZCEx0DG4Jy+gjd5GdPuSssMoMdxbpJZ9gjS
tiI4eHaAgVqHvJG8Q6X6ETnKHfgeHaUP2IAMjYwL9d6j4ezUlW26oEccfbKP5tXP
ndsFQRn2s9QjUz5Nq4OnIe+tOXu0GlSZRbA74t5zhR9XsmEavoYViacXt4iV3a11
2iTEBYDedyaHVy/5Q+ljY61Zr/bUk7BwfGwdzItWQfjd8RSRa+uPnodqR3aLuOiT
Gr8d12mAS2vaeLXSzaOZ/95kCp5N8/nWaZK7qbqBwfY3p7nNuM+/FHfZjr0pjSoy
bMydgeW4kFri2IQP8LisokpRriqYfWTH3sj0312lrcuqZpv3uhE9ZakDB+lX5+kh
K81LJnSNd4bvo05fnnNEZSDJ3YODO4tyuwSDb681jN9xR29h/PY8djeV9pSKqos/
BOrO1KE81m/jxZDOch3Uu/Wu9YpdyTYydoV3zd44oZFM2WGs0Zji2BJN8Hbx8S4G
0jRrQ5Gle+MqyFArKBYrd9tlucfY8aTu+FG/GTk5q0RE+GVftpbPwM/uW4M6S5lo
0R7yOx8XeSA=
=ZqF+
-----END PGP SIGNATURE-----

« Back to bulletins