Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2552 Important: openstack-ironic-inspector security update 11 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openstack-ironic-inspector Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-10141 Reference: ESB-2019.2428 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:1722 https://access.redhat.com/errata/RHSA-2019:1734 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: openstack-ironic-inspector security update Advisory ID: RHSA-2019:1722-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2019:1722 Issue date: 2019-07-09 CVE Names: CVE-2019-10141 ===================================================================== 1. Summary: An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 10.0 (Newton). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 10.0 - noarch 3. Description: OpenStack Bare Metal (ironic) is a tool used to provision bare metal (as opposed to virtual) machines. It leverages common technologies such as PXE boot and IPMI to cover a wide range of hardware. It also supports pluggable drivers to allow added, vendor-specific, functionality. Security Fix(es): * openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1711722 - CVE-2019-10141 openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data 6. Package List: Red Hat OpenStack Platform 10.0: Source: openstack-ironic-inspector-4.2.2-6.el7ost.src.rpm noarch: openstack-ironic-inspector-4.2.2-6.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-10141 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXSWt0tzjgjWX9erEAQgUBRAAi3iIeWYRfLy1EuMNaLoHAy0yV78miaup gEYs5CNeVwcswhjZVm6m7d5uWSOLB34Ml8IkQ3AFNpbxWwjRxr2fcNJG1G6BG5+G 5EAJeOiWgctS3TmHwJPjDQPBMOgdaYX/SOcbj/pEcrhrrrNpZwAqL7WtEpDsylhr tCLlR34OZrHt0igMNfLtoa0X6Z9TMtmuZA0zz0GBryEiKC2gaFqr7ASZEUX737fn o/e49fG1w3G4U9mgzYXc00Ei0pmjq2WIUpRs91LPnmoHHCj0NuZM+mdHHhMs9wpU ZdGg4bOaD5tgk7/eLfySY0cjxUhPjPmtVEewNnSEU8wjE4kxfb3kYZ8LrReo5JEf 04sKaujvEA7vOvTQ9TF/xxlTMzxnej1K61jO7iQh+sUM9StLhzcVQeuFcvZy5eHJ WzHc1n3wlw9X3z4CtIuE6nsdhaIEkvmRIi3wDFfDh44m+hPu80Ty+9exdImpJGWN RK1kMKcUDnsUuQh0e919zXjqgtuEahNUuTQqbxcO4hoSQ9z5MdIgqI5/m0imOGGb No0fsgkQm/jr7/3l62loiw/QYGR5ktf4TiPUJP/6jBoynPXbmagVLV+79RJ/1X7t EtPcePE8qc6SDtlNyp6Ek32i6VvM5f8tdtL8KXdG2WpKSTcLq42g397Ipdbv86k0 KBWRwPZ3Pqw= =BHpr - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: openstack-ironic-inspector security update Advisory ID: RHSA-2019:1734-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2019:1734 Issue date: 2019-07-10 CVE Names: CVE-2019-10141 ===================================================================== 1. Summary: An update for openstack-ironic-inspector is now available for Red Hat OpenStack Platform 13.0 (Queens). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 13.0 - noarch 3. Description: ironic-inspector is an auxiliary service for discovering hardware properties for a node managed by Ironic. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given its power management credentials (e.g. IPMI address, user name and password). Security Fix: * openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data (CVE-2019-10141) For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1711722 - CVE-2019-10141 openstack-ironic-inspector: SQL Injection vulnerability when receiving introspection data 1717086 - Rebase openstack-ironic-inspector to 7.2.4 6. Package List: Red Hat OpenStack Platform 13.0: Source: openstack-ironic-inspector-7.2.3-3.el7ost.src.rpm noarch: openstack-ironic-inspector-7.2.3-3.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-10141 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXSXikNzjgjWX9erEAQhuzQ/+JlRXpZWPUKdqTZtovs4BG9r14rS3O9a8 pR/K/qiBDzKlz/qxO6HASWE3lwm8EbbXgsBjq/8+Qrc7iv9TMtMTgeCXa3iz8AJ6 x8dG8Yqwl8BeZMIuafiVG4qkurkxbErXHl/Doin/Guq2hpHfxYNhi/yJwoRs6wJZ 5uD///GyVmpug3vYtzaFfUzLZ+wJGVyMNoaKW4aaP9X6cDnlfpmV4rh/l1XXITDz QWtsBygcWf4X617Mmrlo4ug/KQwhruqEvqATpQMDjKWyFgheGtGV6CdaEeyq12q+ zP4kL70Vjbv6XrLuGJ0HP1hN2tV6XHIL7T2OUpg1J4PhcT6MVHPzjOizu9cBVWh2 IZpIMN9hKnBBQ+lgBpIcye1VKX+TcFpLVdM2cZVjEoOl9R/qtgUvR8pyMYccaC8E ElPX3/MHeJKiF0MzsvucGqmt1pzL+1z8Y2ebWFG1yFLXv9ba6Jl0d6UL/lH5elyg N7u/kNsP2FyVCtboF2IBEfG86k+9N4ktp0lOJ+qmoHA0e8HH5ZxcwpoEuJASu7Uj jif+woB2vyHveRlo28g3bqmm9Tj0rN++mXEBrcq42cDixuqJadKY9AiNd+Xjgxna m37WhItd78gzxKqBeVAeNnslFcxKtGvBkYs3tyTS45GR10vyx+g/+b9yr7Lgdti9 Xx4TsPPfpBo= =jklW - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXSa/Q2aOgq3Tt24GAQhbThAA1HNTUl4PkE09qGkn7CnsGQ/By+ARE9X4 oIDdZ89oCEhTxFj/iG7gL4NULMiVEF3F1yYZDgBS3gyt3yRCz7ueCY+cvy2n7sPF evYJUJ+onfgG+2jJgSjCllgsAFqiVPGh802tgsFeVxv9MHEanib/09UuZFiVP61r NULa95vuaWigJxWp5VRamZ3LHTvK7x2Mgg2L1fWXJbuNAY3Uf/Cva+c7qiehJUan i2zPmUvutfETh55eUdKSstpZxIdGWj3rR+QDsfz1fLK2Yh6Q0adEO5n1wduASD10 K3a6Yo6tkC/FcwkaOv8kyIPXFowrhDW/G1yW26p3aZgFo2jbN2ny5fACMC1WNMx7 bHtXHtRWZh9JnzBq7TQ0DSN4SWGSrKJdAyTs9KZfRsyP+dq+1iLSNKAjN/W38cHw DdZs2bQkW7Axq4gCpYMCbi34olHMLEIWOnmhmKebgekz2ZRqSztwA0BbCFEND/bD Bf9K/ZCsOBqcHkBhvM2rWNUvSp1N4A5io8tVWMw1Rd6rcXjA7ob3HdeaGU4nmRNm JvpErgEj81sBHq8o7VuqiRrASKQCJHyGmrPjp4ZBlxjCj0PqAwmtLDuuxS3sJn+w OHbBI9OmH2q56t8hTk8lGpCwWt8L4BPh3Rx00tFpIlS9ZOGEgtlf/GHKqv1aOCx/ ZRQiJzw3G5c= =m/2K -----END PGP SIGNATURE-----