ESB-2018.1524 - [RedHat] Red Hat OpenStack Platform director: Multiple vulnerabilities 2018-05-18

Printable version
PGP/GPG verifiable version

Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

            Red Hat OpenStack Platform director security update
                                18 May 2018


        AusCERT Security Bulletin Summary

Product:           Red Hat OpenStack Platform director
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Modify Arbitrary Files -- Existing Account      
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000115 CVE-2017-12155 

Reference:         ESB-2018.0638

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA256

                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform director security update
Advisory ID:       RHSA-2018:1593-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:
Issue date:        2018-05-17
CVE Names:         CVE-2017-12155 CVE-2018-1000115 

1. Summary:

An update is now available for Red Hat OpenStack Platform 10.0 (Newton).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 10.0 - noarch

3. Description:

Red Hat OpenStack Platform director provides the facilities for deploying
and monitoring a private or public infrastructure-as-a-service (IaaS) cloud
based on Red Hat OpenStack Platform.

Security Fix(es):

* A resource-permission flaw was found in the python-tripleo and
openstack-tripleo-heat-templates packages where
ceph.client.openstack.keyring is created as world-readable. A local
attacker with access to the key could read or modify data on Ceph cluster
pools for OpenStack as though the attacker were the OpenStack service, thus
potentially reading or modifying data in an OpenStack Block Storage volume.

To exploit this flaw, the attacker must have local access to an overcloud
node. However by default, access to overcloud nodes is restricted and
accessible only from the management undercloud server on an internal
network. (CVE-2017-12155)

This issue was discovered by Katuya Kawakami (NEC).

* It was discovered that the memcached connections using UDP transport
protocol can be abused for efficient traffic amplification distributed
denial of service (DDoS) attacks. A remote attacker could send a malicious
UDP request using a spoofed source IP address of a target system to
memcached, causing it to send a significantly larger response to the
target. (CVE-2018-1000115)

This advisory also addresses the following issues:

* This release adds support for deploying Dell EMC VMAX Block Storage
backend using the Red Hat OpenStack Platform director. (BZ#1503896)

* Using composable roles for deploying Dell SC and PS Block Storage backend
caused errors. The backends could only be deploying using
'cinder::config::cinder_config' hiera data.
With this update, the composable role support for deploying the Dell SC and
PS Block Storage backends is updated. As a result, they can be now deployed
using composable roles. (BZ#1552980)

* Previously, the iptables rules were managed by the Red Hat OpenStack
Platform director and the OpenStack Networking service, which resulted in
the rules created by the OpenStack Networking service to persist on to the
disk. As a result, the rules that should not be loaded after an iptables
restart or a system reboot would be loaded causing traffic issues. 
With this update, the Red Hat OpenStack Platform director has been updated
to exclude the OpenStack Networking rules from '/etc/sysconfig/iptables'
when the director saves the firewall rules. As a result, iptables restart
or a system reboot should work without causing traffic problems. 
Note: It might be necessary to perform a rolling restart of the controller
nodes to ensure that any orphaned managed neutron rules are no longer
reloaded. (BZ#1541528)

* OS::TripleO::SwiftStorage::Ports* resources have been renamed to
OS::TripleO::ObjectStorage::Port* to ensure standalone Object Storage nodes
using the 'ObjectStorage' roles can be deployed correctly. Operators need
to modify their custom templates that previously used
OS::TripleO::SwiftStorage::Ports* settings. (BZ#1544802)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

5. Bugs fixed (

1414549 - Establish and set sensible defaults for ceilometer data retention period
1489360 - CVE-2017-12155 openstack-tripleo-heat-templates: Ceph client keyring is world-readable when deployed by director
1503896 - [RFE] - Dell-EMC VMAX storage integration with Director
1514532 - Ceilometer event dispatcher misses `gnocchi'
1514842 - Keystone Admin API on external Network down after upgrading to OSP10z6
1517302 - openstack-nova-migration is potentially missing after a minor update
1533602 - Backport: Fix the dellemc vmax to use the correct hiera name
1534540 - [Back-Port request to OSP10] aodh-base.yaml uses hard coded regionOne
1538753 - (OSP10 backport) Deployment templates for unsupported components causing some confusion
1541528 - Changing firewall rules with Director saves copy of all rules into /etc/sysconfig/iptables as part of a stack update with `openstack overcloud deploy`
1543883 - [UPGRADE] Upgrade from 9->10 failed: update_os_net_config: command not found
1544211 - iptables is dropping rules on package update
1544802 - Deployment fails with ERROR: Failed to validate: Failed to validate: resources[0]: The Resource Type (OS::TripleO::SwiftStorage::Ports::ManagementPort) could not be found.",
1545666 - validation-scripts/ wait time verification
1547091 - rhel-registration broken with: Failed to validate: resources.NodeExtraConfig: "conditions" is not a valid keyword inside a resource definition'
1547957 - Undercloud / Overcloud Heat stack fails on: YAQL list index out of range (includes upgrades cases)
1551182 - CVE-2018-1000115 memcached: UDP server support allows spoofed traffic amplification DoS
1552980 - Errors with heat templates used to deploy Dell EMC SC and PS Cinder backends
1559093 - ceilometer event-list empty with event_dispatchers=gnocchi
1568596 - Rebase openstack-tripleo-heat-templates to f452e67
1568601 - Rebase puppet-tripleo to a2b2df9
1571840 - Attempting to use iptables with ipv6 address/prefix
1576577 - Attempting to Deploy RHOSP-10 with NetApp Driver Causes Failure in Overcloud Deploy

6. Package List:

Red Hat OpenStack Platform 10.0:



These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from

7. References:

8. Contact:

The Red Hat security contact is <>. More contact
details at

Copyright 2018 Red Hat, Inc.
Version: GnuPG v1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


« Back to bulletins