ESB-2018.3392 - [SUSE] ardana-monasca, ardana-spark, kafka, kafka-kit and openstack-monasca-api: Delete arbitrary files - Existing account 2018-10-31

Printable version
PGP/GPG verifiable version

Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

         SUSE Security Update: Security update for ardana-monasca,
           ardana-spark, kafka, kafka-kit, openstack-monasca-api
                              31 October 2018


        AusCERT Security Bulletin Summary

Product:           ardana-monasca
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Delete Arbitrary Files -- Existing Account
                   Denial of Service      -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1288  

Reference:         ESB-2018.2952

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for ardana-monasca, ardana-spark, kafka, kafka-kit, openstack-monasca-api

Announcement ID:    SUSE-SU-2018:3563-1
Rating:             important
References:         #1094851 #1094971 #1102662 #1102920 
Cross-References:   CVE-2018-1288
Affected Products:
                    SUSE OpenStack Cloud Crowbar 8
                    SUSE OpenStack Cloud 8
                    HPE Helion Openstack 8

   An update that solves one vulnerability and has three fixes
   is now available.


   This update for ardana-monasca, ardana-spark, kafka, kafka-kit,
   openstack-monasca-api fixes the following issues:

   This update for ardana-monasca to version 8.0+git.1535031421.9262a47 fixes
   these issues:

   - Requests Apache to reload on change (bsc#1102662)
   - Avoids managing non-Monasca users (bsc#1102662)
   - Line up perms on storm.conf to match rpm (bsc#1094971)

   This update for ardana-spark to version 8.0+git.1532114050.04654a8 fixes
   this issue:

   - Only set log dir perms on legacy install (bsc#1094851)

   This update for kafka to version fixes this security issue:

   - CVE-2018-1288: Authenticated Kafka users may have performed action
     reserved for the Broker via a manually created fetch request interfering
     with data replication, resulting in data loss (bsc#1102920).

   This update for kafka to version fixes these non-security issues:

   - set to false in KafkaStreams
   - Improve message for Kafka failed startup with non-Kafka data in data.dirs
   - add max_number _of_retries to exponential backoff strategy
   - Mute logger for at the warn level in system tests
   - Kafka connect: error with special characters in connector name
   - streams task gets stuck after re-balance due to LockException
   - CachingSessionStore doesn't use the default keySerde.
   - RocksDBSessionStore doesn't use default aggSerde.
   - Recommended values for Connect transformations contain the wrong class
   - Kafka broker fails to start if a topic containing dot in its name is
     marked for delete but hasn't been deleted during previous uptime
   - GlobalKTable does not checkpoint offsets after restoring state
   - Log cleaning can increase message size and cause cleaner to crash with
     buffer overflow
   - Some socket connections not closed after restart of Kafka Streams
   - Distributed Herder Deadlocks on Shutdown
   - Log cleaner fails due to large offset in segment file
   - StreamsKafkaClient should not use StreamsConfig.POLL_MS_CONFIG
   - Refactor kafkatest docker support
   - ducktape kafka service: do not assume Service contains num_nodes
   - Using _DUCKTAPE_OPTIONS has no effect on executing tests
   - Connect WorkerSinkTask out of order offset commit can lead to
     inconsistent state
   - RocksDB segments not removed when store is closed causes
     re-initialization to fail
   - FetchMetadata creates unneeded Strings on instantiation
   - SourceTask#stop() not called after exception raised in poll()
   - Sink connectors that explicitly 'resume' topic partitions can resume a
     paused task
   - GlobalStateManagerImpl should not write offsets of in-memory stores in
     checkpoint file
   - Source KTable checkpoint is not correct
   - ConnectSchema#equals() broken for array-typed default values

   This update for openstack-monasca-api to version 2.2.1~dev24 fixes these

   - devstack: download storm from
   - Backport tempest test robustness improvements
   - 1724543-fixed kafka partition creation error in devstack installation
   - Fix:No alarms created if metric name in alarm def. expr. is mix case
   - Zuul: Remove project name
   - Run against Pike requirements

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 8:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2018-2523=1

   - SUSE OpenStack Cloud 8:

      zypper in -t patch SUSE-OpenStack-Cloud-8-2018-2523=1

   - HPE Helion Openstack 8:

      zypper in -t patch HPE-Helion-OpenStack-8-2018-2523=1

Package List:

   - SUSE OpenStack Cloud Crowbar 8 (noarch):


   - SUSE OpenStack Cloud Crowbar 8 (x86_64):


   - SUSE OpenStack Cloud 8 (noarch):


   - SUSE OpenStack Cloud 8 (x86_64):


   - HPE Helion Openstack 8 (noarch):


   - HPE Helion Openstack 8 (x86_64):



- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


« Back to bulletins