Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 454
Alerts This Week
Warning Icon 1 454

Red Hat: RHSA-2015:0789-01 Important: OpenStack Packstack Default Password

red hat
Calendar Grey April 8, 2015
Dist Redhat Esm H88
Significant Red Hat enhancement for openstack-packstack resolves essential vulnerabilities and corrects errors, enhancing overall security.
Updated openstack-packstack and openstack-puppet-modules packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 6.0

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

PackStack is a command-line utility for deploying OpenStack on existing servers over an SSH connection. Deployment options are provided either interactively, using the command line, or non-interactively by means of a text file containing a set of preconfigured values for OpenStack parameters. PackStack is suitable for proof-of-concept installations. PackStack is suitable for deploying proof-of-concept installations.
It was discovered that the puppet manifests, as provided with the openstack-puppet-modules package, would configure the pcsd daemon with a known default password. If this password was not changed and an attacker was able to gain access to pcsd, they could potentially run shell commands as root. (CVE-2015-1842)
This issue was discovered by Alessandro Vozza of Red Hat.
This update also fixes the following bugs:
* If OpenStack Networking is enabled, Packstack would display a warning if the Network Manager service is active on hosts. (BZ#1117277)
* A quiet dependency on a newer version of selinux-policy causes openstack-selinux 0.6.23 to fail to install modules when paired with selinux-policy packages from Red Hat Enterprise Linux 7.0 or 7.0.z. This causes Identity and other OpenStack services to receive 'AVC' denials and malfunction under some circumstances. The following workarounds allow the OpenStack services to function correctly:
1) Leave openstack-selinux at 0.6.18-2.el7ost until you are ready to update to Red Hat Enterprise Linux 7.1. At that time, a 'yum update' will resolve the issue.
2) Install the updated selinux-policy and selinux-policy-targeted packages from Red Hat Enterprise Linux 7.1 (version selinux-policy-3.13.1-23.el7 or later), then update openstack-selinux to version 0.6.23-1.el7ost. (BZ#1195252)
* A typo in the code caused a Sahara option that uses OpenStack Networking to be always false. Sahara now uses OpenStack Networking if the parameter 'CONFIG_NEUTRON_INSTALL is set to 'y'. (BZ#1199047)
* Prior to this update, users had to install the OpenStack Unified Client separately after an installation of Packstack. Packstack now installs it by default. (BZ#1199114)
* This enhancement updates Packstack to retain temporary directories when running an installation in debug mode. This assists with troubleshooting activities. As a result, temporary directories are not deleted when running Packstack with the --debug command line option. (BZ#1199565)
* Prior to this update, some validators did not use 'validate_not_empty' to ensure that certain parameters contained values. As a result, a number of internal validations could not be properly handled, leading to the possibility of unexpected errors. This update fixes validators to use validate_not_empty when required, resulting in correct validation behavior from validators. (BZ#11995889)
In addition to the above issues, this update also addresses bugs and enhancements which can be found in the Red Hat Enterprise Linux OpenStack Platform Technical Notes, linked to in the References section.
All openstack-packstack and openstack-puppet-modules users are advised to upgrade to these updated packages, which correct these issues.

References

https://access.redhat.com/security/cve/CVE-2015-1842 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat Enterprise Linux OpenStack Platform 6.0 for RHEL 7:
Source: openstack-packstack-2014.2-0.20.dev1467.g70c9655.el7ost.src.rpm openstack-puppet-modules-2014.2.13-2.el7ost.src.rpm
noarch: openstack-packstack-2014.2-0.20.dev1467.g70c9655.el7ost.noarch.rpm openstack-packstack-doc-2014.2-0.20.dev1467.g70c9655.el7ost.noarch.rpm openstack-packstack-puppet-2014.2-0.20.dev1467.g70c9655.el7ost.noarch.rpm openstack-puppet-modules-2014.2.13-2.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2015:0789-01
Product: Red Hat Enterprise Linux OpenStack Platform
Issue date: 2015-04-07

Topic

Updated openstack-packstack and openstack-puppet-modules packages that fixone security issue and several bugs are now available for Red HatEnterprise Linux OpenStack Platform 6.0.Red Hat Product Security has rated this update as having Important securityimpact. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available from the CVE link in theReferences section.

Relevant Releases Architectures

Red Hat Enterprise Linux OpenStack Platform 6.0 for RHEL 7 - noarch

Bugs Fixed

1117277 - Test Packstack/RHEL OSP on RHEL 7 nodes where Network Manager is NOT disabled

1123117 - Deploy Keystone in Apache httpd

1171744 - Configure TCP keepalive setting via puppet-rabbitmq

1172305 - [RFE] Support Keystone read-only LDAP configuration with domain-specific identity backends

1173930 - Horizon help url in RHEL-OSP6 points to the RHEL-OSP5 documentation

1187343 - Packstack does not install Ironic with CONFIG_IRONIC_INSTALL flag set to "y"

1187706 - problems with puppet-keystone LDAP support

1193889 - puppet restart neutron server every 30 minutes on evironments deployed by staypuft

1195252 - [keystone] - selinux denial

1195258 - Packstack doesn't set firewall so vxlan traffic can be received in multinode setup

1199047 - The value of use_neutron is set to false (instead of true) when neutron is used.

1199072 - packstack does not set ironic password

1199076 - glance_image provider doesn't respect custom region name

1199085 - RHOS backport RDO fix for packstack error: Error: sysctl -p /etc/sysctl.conf returned 255 instead of one of

1199114 - add openstack unified client

1199423 - Use flake8 and hacking instead of pep8 for Python syntax checks

1199427 - Cherrypick documentation fixes from RDO

1199519 - Packstack install AMQP with SSL, fails to start rabbitmq service

1199547 - Install rhos-log-collector only on RHEL systems

1199549 - Backport packstack RDO fixes for rebased modules

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.