(RHSA-2018:0315) Moderate: openstack-aodh security update

openstack-aodh provides the ability to trigger actions based on defined rules against metric or event data collected by OpenStack Telemetry (ceilometer) or Time-Series-Database-as-a-Service (gnocchi).

openstack-aodh has been rebased to the upstream 4.0.2-3 version.

Security Fix(es):

• A verification flaw was found in openstack-aodh. As part of an HTTP alarm action, a user could pass in a trust ID. However, the trust could be from anyone because it was not verified. Because the trust was then used by openstack-aodh to obtain a keystone token for the alarm action, a malicious user could pass in another person’s trust ID and obtain a keystone token containing the delegated authority of that user. (CVE-2017-12440)

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Zane Bitter (Red Hat) as the original reporter.