Authentication Bypass

The openstack-heat packages provide heat, a Python implementation of the OpenStack Orchestration engine, to launch multiple composite cloud applications based on templates. It was found that heat did not properly enforce cloudformation-compatible API policy rules. An in-instance attacker could use the CreateStack or UpdateStack methods to create or update a stack, resulting in a violation of the API policy. Note that only setups using Orchestration’s cloudformation-compatible API were affected. (CVE-2013-6426) A flaw was found in the way Orchestration’s REST API implementation handled modified request paths. An authenticated remote user could use this flaw to bypass the tenant-scoping restriction by modifying the request path, resulting in privilege escalation. Note that only setups using Orchestration’s cloudformation-compatible API were affected. (CVE-2013-6428) Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting these issues. Upstream acknowledges Steven Hardy of Red Hat as the original reporter. The openstack-heat packages have been upgraded to upstream version 2013.2.1, which provides a number of bug fixes and enhancements over the previous version. The most notable fixes and enhancements are: - Auto-scaling has been fixed when AdjustmentType was set to PercentChangeInCapacity. - A QPID broker restart no longer permanently disrupts subscribed clients. - RPC requests are now only serviced by one server in a given topic group. - Auto-scaling group growth or shrinkage has been fixed to utilize the full available size, regardless of the scaling policy adjustment. (BZ#1045430) This update also fixes the following bugs: * The outdated heat-db-setup tool, which only supported local installs, has been removed. The Red Hat Enterprise Linux OpenStack Platform 4 Installation and Configuration Guide has been updated to show how to create the necessary database and associated tables for Orchestration, allowing the deployment of the database server on a local or remote system (see Installing the OpenStack Orchestration Service). (BZ#1046326) * The heat-engine source code had a hard-coded reference to a Fedora image name in the implementation of the AWS-compatible LoadBalancer resource. This meant that you could not specify an alternative LoadBalancer image name in deployments (for example, Red Hat Enterprise Linux). A new option has been added to the Orchestration configuration file, /etc/heat/heat.conf, which is named loadbalancer_template. The new loadbalancer_template option can now be used to specify an alternate LoadBalancer template that contains a different image name. (BZ#1048215) * Due to a packaging error, the heat-manage tool was not working properly (which prohibited a successful database creation). This error has been fixed by moving the parallel package selection code so that all Orchestration tools now use the proper packages for use at runtime. (BZ#1048335) All openstack-heat users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.