Red Hat: RHSA-2023:4567-01 Important: Security Flaw in OpenStack Neutron
red hat
March 23, 2022
An update for openstack-nova is now available for Red Hat OpenStack Platform 16.2 (Train)
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
Summary
OpenStack Compute (codename Nova) is open source software designed
to provision and manage large networks of virtual machines,creating a
redundant and scalable cloud computing platform. It gives you the software,
control panels, and APIs required to orchestrate a cloud, including running
instances, managing networks, and controlling access through users and
projects.OpenStack Compute strives to be both hardware and hypervisor
agnostic, currently supporting a variety of standard hardware
configurations and seven major hypervisors.
Security Fix(es):
* novnc allows open redirection (CVE-2021-3654)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Bug Fix(es):
* Red Hat OpenStack Platform (RHOSP) does not support the use of a fully
qualified domain name (FQDN) as the instance display name in a boot server
request. The instance display name is passed from the boot server request
to the `instance.hostname` field. Some customers use this unsupported
naming in their workflows.
A recent update [1] now sanitizes the `instance.hostname` field. The
sanitization steps include replacing periods with dashes, a replacement
that makes it impossible to continue using the unsupported FQDN instance
display names.
This update provides a temporary workaround for customers who use a fully
qualified domain name (FQDN) as the instance display name in a boot server
request. It limits the scope of the sanitization to cases where the
instance display name ends with a period followed by one or more numeric
digits.
If you use FQDN as the instance display name in a boot server request,
modify your workflow before upgrading to RHOSP 17. (BZ#2036652)
References
https://access.redhat.com/security/cve/CVE-2021-3654 https://access.redhat.com/security/updates/classification#moderate
Package List
Red Hat OpenStack Platform 16.2:
Source:
openstack-nova-20.6.2-2.20220112164912.8906554.el8ost.src.rpm
noarch:
openstack-nova-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
openstack-nova-api-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
openstack-nova-common-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
openstack-nova-compute-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
openstack-nova-conductor-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
openstack-nova-console-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
openstack-nova-migration-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
openstack-nova-novncproxy-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
openstack-nova-scheduler-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
openstack-nova-serialproxy-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
openstack-nova-spicehtml5proxy-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
python3-nova-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2022:0999-01
Product: Red Hat OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0999
Issue date: 2022-03-23
Topic
An update for openstack-nova is now available for Red Hat OpenStackPlatform 16.2 (Train).Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Relevant Releases Architectures
Red Hat OpenStack Platform 16.2 - noarch
Bugs Fixed
1729485 - [OSP16.2] "Invalid PCI devices Whitelist config error" configuring passthrough_whitelist with new 40Gb NICs due domain in PCI address is greater than FFFF
1908405 - Nova is out of sync with ironic as hypervisor list in nova does not agree with ironic list after reboot of the nodes
1915096 - [OSP16.2] NUMA instance spawn fails on get_best_cpu_topology when there is no 'threads' preference
1961439 - CVE-2021-3654 openstack-nova: novnc allows open redirection
1968735 - [OSP16.2][neutron]http_retries config option value not being used for calls to the port binding API
1972706 - [OSP 16.2] After host reboot VM goes to error state due to nova-compute EmptyCatalog error
1987225 - Compute service DOWN after FFU from RHOSP13 to 16.1 because service version is still 30.
1992863 - [OSP 16.2] Avoid duplicate BDMs during reserve_block_device_name
1998556 - [OSP 16.2] Attempting to start or hard reboot a users instance as an admin with encrypted rbd volumes leaves the instance unbootable
1999583 - [OSP 16.2] Provide a workaround option and/or nova-manage command to force the refresh of connection_info during a hard reboot
2036652 - [HOTFIX] [OSP 16.2] - option for disabling FIX on instance name sanity check
2036690 - If an upper case mac address is used in a heat template, live migration won't work in nova
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!