(RHSA-2018:2714) Moderate: openstack-nova security and bug fix update
2018-09-17T20:35:53
ID RHSA-2018:2714 Type redhat Reporter RedHat Modified 2018-09-17T20:38:53
Description
OpenStack Compute (nova) launches and schedules large networks of virtual
machines, creating a redundant and scalable cloud computing platform.
Compute provides the software, control panels, and APIs required to
orchestrate a cloud, including running virtual machine instances and
controlling access through users and projects.
Security Fix(es):
openstack-nova: Swapping encrypted volumes can allow an attacker to corrupt the LUKS header causing a denial of service in the host (CVE-2017-18191)
For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References section.
Bug Fix(es):
Previously, the MTU of TAP devices was not configured. As a result, the network could be configured with a different MTU than a guest TAP device.
With this update, you can configure libvirt when you create the TAP device for the guest. Nova passes the correct parameter to libvirt, and the TAP device now has the same configuration as the network. (BZ#1553839)
Previously, the MTU of TAP devices was not configured. As a result, the network could be configured with a different MTU than a guest TAP device.
With this update, you can configure libvirt when you create the TAP device for the guest. Nova passes the correct parameter to libvirt, and the TAP device now has the same configuration as the network. (BZ#1553559)
Previously, the '[vnc] keymap' option was 'en-us' by default, and it was not possible to unset this configuration. As a result of this, non-US locales experienced ineffective key mappings.
With this update, users can unset the '[vnc] keymap' value. In this case, the VNC client configures the locale and non-US users attain more effective key mappings. (BZ#1441962)
{"id": "RHSA-2018:2714", "hash": "fb8d634b3342524fc9ab15711ef0191f", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2018:2714) Moderate: openstack-nova security and bug fix update", "description": "OpenStack Compute (nova) launches and schedules large networks of virtual\nmachines, creating a redundant and scalable cloud computing platform.\nCompute provides the software, control panels, and APIs required to\norchestrate a cloud, including running virtual machine instances and\ncontrolling access through users and projects.\n\nSecurity Fix(es):\n\n* openstack-nova: Swapping encrypted volumes can allow an attacker to corrupt the LUKS header causing a denial of service in the host (CVE-2017-18191)\n\nFor more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References section.\n\nBug Fix(es):\n\n* Previously, the MTU of TAP devices was not configured. As a result, the network could be configured with a different MTU than a guest TAP device.\n\nWith this update, you can configure libvirt when you create the TAP device for the guest. Nova passes the correct parameter to libvirt, and the TAP device now has the same configuration as the network. (BZ#1553839)\n\n* Previously, the MTU of TAP devices was not configured. As a result, the network could be configured with a different MTU than a guest TAP device.\n\nWith this update, you can configure libvirt when you create the TAP device for the guest. Nova passes the correct parameter to libvirt, and the TAP device now has the same configuration as the network. (BZ#1553559)\n\n* Previously, the '[vnc] keymap' option was 'en-us' by default, and it was not possible to unset this configuration. As a result of this, non-US locales experienced ineffective key mappings.\n\nWith this update, users can unset the '[vnc] keymap' value. In this case, the VNC client configures the locale and non-US users attain more effective key mappings. (BZ#1441962)", "published": "2018-09-17T20:35:53", "modified": "2018-09-17T20:38:53", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2018:2714", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2017-18191"], "lastseen": "2018-12-11T21:42:17", "history": [{"bulletin": {"id": "RHSA-2018:2714", "hash": "4971c3b9c163c5dbb4c4a14552804d6a", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2018:2714) Moderate: openstack-nova security and bug fix update", "description": "OpenStack Compute (nova) launches and schedules large networks of virtual\nmachines, creating a redundant and scalable cloud computing platform.\nCompute provides the software, control panels, and APIs required to\norchestrate a cloud, including running virtual machine instances and\ncontrolling access through users and projects.\n\nSecurity Fix(es):\n\n* openstack-nova: Swapping encrypted volumes can allow an attacker to corrupt the LUKS header causing a denial of service in the host (CVE-2017-18191)\n\nFor more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References section.\n\nBug Fix(es):\n\n* Previously, the MTU of TAP devices was not configured. As a result, the network could be configured with a different MTU than a guest TAP device.\n\nWith this update, you can configure libvirt when you create the TAP device for the guest. Nova passes the correct parameter to libvirt, and the TAP device now has the same configuration as the network. (BZ#1553839)\n\n* Previously, the MTU of TAP devices was not configured. As a result, the network could be configured with a different MTU than a guest TAP device.\n\nWith this update, you can configure libvirt when you create the TAP device for the guest. Nova passes the correct parameter to libvirt, and the TAP device now has the same configuration as the network. (BZ#1553559)\n\n* Previously, the '[vnc] keymap' option was 'en-us' by default, and it was not possible to unset this configuration. As a result of this, non-US locales experienced ineffective key mappings.\n\nWith this update, users can unset the '[vnc] keymap' value. In this case, the VNC client configures the locale and non-US users attain more effective key mappings. (BZ#1441962)", "published": "2018-09-17T20:35:53", "modified": "2018-09-17T20:38:53", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2018:2714", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2017-18191"], "lastseen": "2018-09-17T20:57:02", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 2.1, "vector": "NONE", "modified": "2018-09-17T20:57:02"}}, "objectVersion": "1.4", "affectedPackage": [{"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "src", "packageName": "openstack-nova", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-14.1.0-26.el7ost.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova-api", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-api-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova-cells", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-cells-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova-cert", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-cert-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova-common", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-common-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova-compute", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-compute-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova-conductor", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-conductor-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova-console", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-console-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova-migration", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-migration-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova-network", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-network-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova-novncproxy", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-novncproxy-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova-placement-api", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-placement-api-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova-scheduler", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-scheduler-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova-serialproxy", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-serialproxy-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova-spicehtml5proxy", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-spicehtml5proxy-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "python-nova", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "python-nova-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "python-nova-tests", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "python-nova-tests-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}]}, "lastseen": "2018-09-17T20:57:02", "differentElements": ["affectedPackage"], "edition": 1}], "viewCount": 44, "enchantments": {"score": {"value": 2.1, "vector": "NONE", "modified": "2018-12-11T21:42:17"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-18191"]}, {"type": "redhat", "idList": ["RHSA-2018:2855", "RHSA-2018:2332"]}], "modified": "2018-12-11T21:42:17"}, "vulnersScore": 2.1}, "objectVersion": "1.4", "affectedPackage": [{"OS": "RedHat", "OSVersion": "7", "arch": "noarch", "packageName": "openstack-nova", "packageVersion": "14.1.0-26.el7ost", "packageFilename": "openstack-nova-14.1.0-26.el7ost.noarch.rpm", "operator": "lt"}], "_object_type": "robots.models.redhat.RedHatBulletin", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-04-27T11:25:29", "bulletinFamily": "NVD", "description": "An issue was discovered in OpenStack Nova 15.x through 15.1.0 and 16.x through 16.1.1. By detaching and reattaching an encrypted volume, an attacker may access the underlying raw volume and corrupt the LUKS header, resulting in a denial of service attack on the compute host. (The same code error also results in data loss, but that is not a vulnerability because the user loses their own data.) All Nova setups supporting encrypted volumes are affected.", "modified": "2019-04-26T09:17:35", "published": "2018-02-19T12:29:00", "id": "CVE-2017-18191", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18191", "title": "CVE-2017-18191", "type": "cve", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2018-12-11T21:42:19", "bulletinFamily": "unix", "description": "OpenStack Compute (nova) launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform. Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances and controlling access through users and projects.\n\nSecurity Fix(es):\n\n* openstack-nova: Swapping encrypted volumes can allow an attacker to corrupt the LUKS header causing a denial of service in the host (CVE-2017-18191)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* This update fixes a race condition that could generate error messages and cause migration failures during nova live migrations. \n\nPrior to this update, if a domain was already cleaned out by periodic tasks, undefining the domain source during a live migration sometimes generated a \"Domain not found (Code=42)\" error. (BZ#1614325)", "modified": "2018-10-02T22:38:22", "published": "2018-10-02T22:36:09", "id": "RHSA-2018:2855", "href": "https://access.redhat.com/errata/RHSA-2018:2855", "type": "redhat", "title": "(RHSA-2018:2855) Moderate: openstack-nova security and bug fix update", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-12-11T21:43:09", "bulletinFamily": "unix", "description": "OpenStack Compute (nova) launches and schedules large networks of virtual\nmachines, creating a redundant and scalable cloud computing platform.\nCompute provides the software, control panels, and APIs required to\norchestrate a cloud, including running virtual machine instances and\ncontrolling access through users and projects.\n\nThe following packages have been upgraded to a later upstream version:\nopenstack-nova (16.1.4). (BZ#1591212)\n\nSecurity Fix(es):\n\n* openstack-nova: Swapping encrypted volumes can allow an attacker to corrupt the LUKS header causing a denial of service in the host (CVE-2017-18191)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section.\n\nFor more information about the bug fixes and enhancements included with this update, see the \"Technical Notes\" section of the Release Notes \nlinked in the References section.", "modified": "2018-08-20T16:46:12", "published": "2018-08-20T16:40:14", "id": "RHSA-2018:2332", "href": "https://access.redhat.com/errata/RHSA-2018:2332", "type": "redhat", "title": "(RHSA-2018:2332) Moderate: openstack-nova security, bug fix, and enhancement update", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}]}
