Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0092 Moderate: openstack-neutron security, bug fix, and enhancement update 23 January 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openstack-neutron Publisher: Red Hat Operating System: Red Hat Linux variants Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-6419 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2014-0091.html Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running openstack-neutron check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-neutron security, bug fix, and enhancement update Advisory ID: RHSA-2014:0091-01 Product: Red Hat OpenStack Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0091.html Issue date: 2014-01-22 CVE Names: CVE-2013-6419 ===================================================================== 1. Summary: Updated openstack-neutron packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 4 - noarch 3. Description: The openstack-neutron packages provide Openstack Networking (neutron), the virtual network service. It was discovered that the metadata agent in OpenStack Networking was missing an authorization check on the device ID that is bound to a specific port. A remote tenant could guess the instance ID bound to a port and retrieve metadata of another tenant, resulting in information disclosure. Note that only OpenStack Networking setups running neutron-metadata-agent were affected. (CVE-2013-6419) Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting this issue. Upstream acknowledges Aaron Rosen of VMware as the original reporter. The openstack-neutron packages have been upgraded to upstream version 2013.2.1, which provides a number of bug fixes and enhancements over the previous version. The most notable fixes and enhancements are: * Support for multiple workers in the Neutron API. This can be achieved by setting the 'workers=' parameter in the neutron.conf file. * The downtime and report interval default settings are tuned for neutron agents. * The floating IP address stability has been enhanced. * A heartbeat-related deadlock problem in neutron-server has been fixed. (BZ#1045419) This update also fixes the following bugs: * An incorrect warning was displayed when running neutron-dhcp-agent with Red Hat Enterprise Linux's version of dnsmasq. This meant that users were incorrectly warned that Red Hat Enterprise Linux's dnsmasq version will not work with neutron-dhcp-agent. This warning has been removed, and will no longer be logged to the neutron-dhcp-agent log file. (BZ#1040196) * A bug in the QPID topic consumer re-connection logic (under the v2 topology) caused qpidd to use a malformed subscriber address after restarting, resulting in RPC requests sent to a topic with multiple servers ending up being incorrectly multicast to all servers. This update removes the special-case reconnect logic that handles UUID addresses, which in turn avoids the incorrect establishment of multiple subscription to the same fanout address. The QPID broker now simply automatically generates unique queue names when clients reconnect. (BZ#1045067) * Thread-consuming QPID messages were killed silently by unhandled errors, thus resulting in isolating the component from the rest of the system. With this update, consuming threads are made more resilient to errors by ensuring they do not die on an unhandled error. The error is now logged, and the consuming thread is retried. (BZ#1054249) In addition, this update adds the following enhancement: * Previously, instances connected to tenant networks gained outside connectivity by going through an SNAT by the L3 agent hosting that network's virtual router. With this release, the ability to disable SNAT/PAT on virtual servers is added ensuring that an instance in a tenant network subnet will retain its IP address as it passes through external networks. For example, if 10.0.0.1 is an instance in the 10.0.0.0/8 tenant network, R1, a virtual router that connects the 10.0.0.0/8 subnet to the 20.0.0.0/8 public provider networks, then you can use the 'neutron router-gateway-set --disable-snat R1 public' command and any traffic from 10.0.0.1, which is forwarded out to the provider network, will retain its actual source IP address of 10.0.0.1. This can be a flexible and useful method to connect instances directly to a provider network, while retaining it in a tenant network. (BZ#1046070) All openstack-neutron users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1038737 - neutron is creating duplicated NAT rules, resulting in instances without network connection 1039148 - CVE-2013-6419 OpenStack Neutron and Nova: Metadata queries from Neutron to Nova are not restricted by tenant 1039528 - Neutron rootwrap does not follow packaging guidelines 1040196 - Remove dnsmasq version warning for dhcp-agent on RHEL 1045067 - [oslo] With QPID, RPC calls to a topic are always fanned-out to all subscribers. 1046070 - Configurable External Gateway Modes 1046087 - The error message that indicates manual DB stamping is needed is not clear enough 1054249 - Thread consuming qpid messages can die silently 6. Package List: OpenStack 4: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-neutron-2013.2.1-4.el6ost.src.rpm noarch: openstack-neutron-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-bigswitch-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-brocade-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-cisco-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-hyperv-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-linuxbridge-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-mellanox-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-metaplugin-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-metering-agent-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-midonet-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-ml2-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-nec-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-nicira-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-openvswitch-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-plumgrid-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-ryu-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-vpn-agent-2013.2.1-4.el6ost.noarch.rpm python-neutron-2013.2.1-4.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6419.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS4BDfXlSAg2UNWIIRAivNAKCVWiwL/nIdn7v6YXgfI0F+74mk0QCfZlps gQgFmSvzl9jrK02N6xI26E8= =s88t - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUuCKMBLndAQH1ShLAQLVmA//clseUlbAVOLOtBIdDT9h0s1eH6KTDYFp 7mBQMeXRRcR1r2lwfRLecvDzQsko4CPMg03S1boV3Dn3eoMdy/WQU5NbOFMA7pQt LSPGNKaDkdvU7luEyWOt1fwIuY5TYaebitx0bIGr8zkJPDGdyPSvvH8qo+7sl2bS HSumhkmIxXG5aT+NQG2m1o0JMqqfd4YyYXh/iYctQH0zd9eA6EYhaxB5EdKe8iia PddtBTTxxoxrC4KySTP4ZCt89AmvyB9ze0HU5EyozDN+TPUhkwsTgcpeitWEH8Vx NkX7x6ch2q3HyR7ndYLJ09gHEfDQK28IlL0oCgoBiIJf5b9b0CkjnL80ScBxiq6r h7kuRA2dO+E78m3a9eXVn4ls+o7AiAqjaLcXA73fqrqnXzCKcjL/4InLKJkGxaa/ LLq9p6pgVYt31cxbXWE3pJ4SE/bGathNcI0M2UED1Vh5YTUvMQjDPGw7VeeCHhIX Szkus0fh+nN+/4zLU3/AGOgQz4OP+08bkwdpDCJ//0/9/S9JWs4wbWAqYIpcn9MT 22gM98eJ2+ypyG3Rvo/RQpD1HMWuThcU6uVe//9xMi2bzxIUSw27EAIVDOsJjSXw 1ZrqE0OuXtHhmPR/WT9X0ybIM8rUSoSrH02M01m0fRzsTvoEl1Tmfxq2gRAH48X6 x9cUpgVEyxI= =IRbW -----END PGP SIGNATURE-----