====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: openstack-neutron security, bug fix, and enhancement update
Advisory ID:       RHSA-2014:0091-01
Product:           Red Hat OpenStack
Advisory URL:      https://access.redhat.com/errata/RHSA-2014:0091.html
Issue date:        2014-01-22
CVE Names:         CVE-2013-6419 
====================================================================
1. Summary:

Updated openstack-neutron packages that fix one security issue, several
bugs, and add various enhancements are now available for Red Hat Enterprise
Linux OpenStack Platform 4.0.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

OpenStack 4 - noarch

3. Description:

The openstack-neutron packages provide Openstack Networking (neutron), the
virtual network service.

It was discovered that the metadata agent in OpenStack Networking was
missing an authorization check on the device ID that is bound to a specific
port. A remote tenant could guess the instance ID bound to a port and
retrieve metadata of another tenant, resulting in information disclosure.
Note that only OpenStack Networking setups running neutron-metadata-agent
were affected. (CVE-2013-6419)

Red Hat would like to thank Jeremy Stanley of the OpenStack Project for
reporting this issue. Upstream acknowledges Aaron Rosen of VMware as the
original reporter.

The openstack-neutron packages have been upgraded to upstream version
2013.2.1, which provides a number of bug fixes and enhancements over the
previous version. The most notable fixes and enhancements are:

* Support for multiple workers in the Neutron API. This can be achieved by
  setting the 'workers=' parameter in the neutron.conf file.

* The downtime and report interval default settings are tuned for
  neutron agents.

* The floating IP address stability has been enhanced.

* A heartbeat-related deadlock problem in neutron-server has been fixed.

(BZ#1045419)

This update also fixes the following bugs:

* An incorrect warning was displayed when running neutron-dhcp-agent with
Red Hat Enterprise Linux's version of dnsmasq. This meant that users were
incorrectly warned that Red Hat Enterprise Linux's dnsmasq version will not
work with neutron-dhcp-agent. This warning has been removed, and will no
longer be logged to the neutron-dhcp-agent log file. (BZ#1040196)

* A bug in the QPID topic consumer re-connection logic (under the v2
topology) caused qpidd to use a malformed subscriber address after
restarting, resulting in RPC requests sent to a topic with multiple serversending up being incorrectly multicast to all servers. This update removes
the special-case reconnect logic that handles UUID addresses, which in turn
avoids the incorrect establishment of multiple subscription to the same
fanout address. The QPID broker now simply automatically generates unique
queue names when clients reconnect. (BZ#1045067)

* Thread-consuming QPID messages were killed silently by unhandled errors,
thus resulting in isolating the component from the rest of the system.
With this update, consuming threads are made more resilient to errors by
ensuring they do not die on an unhandled error. The error is now logged,
and the consuming thread is retried. (BZ#1054249)

In addition, this update adds the following enhancement:

* Previously, instances connected to tenant networks gained outside
connectivity by going through an SNAT by the L3 agent hosting that
network's virtual router. With this release, the ability to disable
SNAT/PAT on virtual servers is added ensuring that an instance in a tenant
network subnet will retain its IP address as it passes through external
networks. For example, if 10.0.0.1 is an instance in the 10.0.0.0/8 tenant
network, R1, a virtual router that connects the 10.0.0.0/8 subnet to the
20.0.0.0/8 public provider networks, then you can use the 'neutron
router-gateway-set --disable-snat R1 public' command and any traffic from
10.0.0.1, which is forwarded out to the provider network, will retain its
actual source IP address of 10.0.0.1. This can be a flexible and useful
method to connect instances directly to a provider network, while retaining
it in a tenant network. (BZ#1046070)

All openstack-neutron users are advised to upgrade to these updated
packages, which correct these issues and add these enhancements.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1038737 - neutron is creating duplicated NAT rules, resulting in instances without network connection
1039148 - CVE-2013-6419 OpenStack Neutron and Nova: Metadata queries from Neutron to Nova are not restricted by tenant
1039528 - Neutron rootwrap does not follow packaging guidelines
1040196 - Remove dnsmasq version warning for dhcp-agent on RHEL
1045067 - [oslo] With QPID, RPC calls to a topic are always fanned-out to all subscribers.
1046070 - Configurable External Gateway Modes
1046087 - The error message that indicates manual DB stamping is needed is not clear enough
1054249 - Thread consuming qpid messages can die silently

6. Package List:

OpenStack 4:

Source:

noarch:
openstack-neutron-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-bigswitch-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-brocade-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-cisco-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-hyperv-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-linuxbridge-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-mellanox-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-metaplugin-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-metering-agent-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-midonet-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-ml2-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-nec-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-nicira-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-openvswitch-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-plumgrid-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-ryu-2013.2.1-4.el6ost.noarch.rpm
openstack-neutron-vpn-agent-2013.2.1-4.el6ost.noarch.rpm
python-neutron-2013.2.1-4.el6ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2013-6419.html
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is .  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.

Red Hat: 2014:0091-01: openstack-neutron: Moderate Advisory

Updated openstack-neutron packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 4.0

Summary

The openstack-neutron packages provide Openstack Networking (neutron), the virtual network service.
It was discovered that the metadata agent in OpenStack Networking was missing an authorization check on the device ID that is bound to a specific port. A remote tenant could guess the instance ID bound to a port and retrieve metadata of another tenant, resulting in information disclosure. Note that only OpenStack Networking setups running neutron-metadata-agent were affected. (CVE-2013-6419)
Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting this issue. Upstream acknowledges Aaron Rosen of VMware as the original reporter.
The openstack-neutron packages have been upgraded to upstream version 2013.2.1, which provides a number of bug fixes and enhancements over the previous version. The most notable fixes and enhancements are:
* Support for multiple workers in the Neutron API. This can be achieved by setting the 'workers=' parameter in the neutron.conf file.
* The downtime and report interval default settings are tuned for neutron agents.
* The floating IP address stability has been enhanced.
* A heartbeat-related deadlock problem in neutron-server has been fixed.
(BZ#1045419)
This update also fixes the following bugs:
* An incorrect warning was displayed when running neutron-dhcp-agent with Red Hat Enterprise Linux's version of dnsmasq. This meant that users were incorrectly warned that Red Hat Enterprise Linux's dnsmasq version will not work with neutron-dhcp-agent. This warning has been removed, and will no longer be logged to the neutron-dhcp-agent log file. (BZ#1040196)
* A bug in the QPID topic consumer re-connection logic (under the v2 topology) caused qpidd to use a malformed subscriber address after restarting, resulting in RPC requests sent to a topic with multiple serversending up being incorrectly multicast to all servers. This update removes the special-case reconnect logic that handles UUID addresses, which in turn avoids the incorrect establishment of multiple subscription to the same fanout address. The QPID broker now simply automatically generates unique queue names when clients reconnect. (BZ#1045067)
* Thread-consuming QPID messages were killed silently by unhandled errors, thus resulting in isolating the component from the rest of the system. With this update, consuming threads are made more resilient to errors by ensuring they do not die on an unhandled error. The error is now logged, and the consuming thread is retried. (BZ#1054249)
In addition, this update adds the following enhancement:
* Previously, instances connected to tenant networks gained outside connectivity by going through an SNAT by the L3 agent hosting that network's virtual router. With this release, the ability to disable SNAT/PAT on virtual servers is added ensuring that an instance in a tenant network subnet will retain its IP address as it passes through external networks. For example, if 10.0.0.1 is an instance in the 10.0.0.0/8 tenant network, R1, a virtual router that connects the 10.0.0.0/8 subnet to the 20.0.0.0/8 public provider networks, then you can use the 'neutron router-gateway-set --disable-snat R1 public' command and any traffic from 10.0.0.1, which is forwarded out to the provider network, will retain its actual source IP address of 10.0.0.1. This can be a flexible and useful method to connect instances directly to a provider network, while retaining it in a tenant network. (BZ#1046070)
All openstack-neutron users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258

References

https://www.redhat.com/security/data/cve/CVE-2013-6419.html https://access.redhat.com/security/updates/classification/#moderate

Package List

OpenStack 4:
Source:
noarch: openstack-neutron-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-bigswitch-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-brocade-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-cisco-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-hyperv-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-linuxbridge-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-mellanox-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-metaplugin-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-metering-agent-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-midonet-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-ml2-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-nec-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-nicira-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-openvswitch-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-plumgrid-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-ryu-2013.2.1-4.el6ost.noarch.rpm openstack-neutron-vpn-agent-2013.2.1-4.el6ost.noarch.rpm python-neutron-2013.2.1-4.el6ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package


Severity
Advisory ID: RHSA-2014:0091-01
Product: Red Hat OpenStack
Advisory URL: https://access.redhat.com/errata/RHSA-2014:0091.html
Issued Date: : 2014-01-22
CVE Names: CVE-2013-6419

Topic

Updated openstack-neutron packages that fix one security issue, severalbugs, and add various enhancements are now available for Red Hat EnterpriseLinux OpenStack Platform 4.0.The Red Hat Security Response Team has rated this update as having moderatesecurity impact. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available from the CVE link inthe References section.


Topic


 

Relevant Releases Architectures

OpenStack 4 - noarch


Bugs Fixed

1038737 - neutron is creating duplicated NAT rules, resulting in instances without network connection

1039148 - CVE-2013-6419 OpenStack Neutron and Nova: Metadata queries from Neutron to Nova are not restricted by tenant

1039528 - Neutron rootwrap does not follow packaging guidelines

1040196 - Remove dnsmasq version warning for dhcp-agent on RHEL

1045067 - [oslo] With QPID, RPC calls to a topic are always fanned-out to all subscribers.

1046070 - Configurable External Gateway Modes

1046087 - The error message that indicates manual DB stamping is needed is not clear enough

1054249 - Thread consuming qpid messages can die silently


Related News

11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle
1.Penguin Landscape Esm H320
1 - 2 min read
There are compelling arguments in favor of Linux over Windows for desktop usage. Let's explore some advantages of choosing Linux over Windows for

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved