Headline
Red Hat Security Advisory 2023-1948-01
Red Hat Security Advisory 2023-1948-01 - OpenStack Compute is open source software designed to provision and manage large networks of virtual machines,creating a redundant and scalable cloud computing platform. It gives you the software, control panels, and APIs required to orchestrate a cloud, including running instances, managing networks, and controlling access through users and projects.OpenStack Compute strives to be both hardware and hypervisor agnostic, currently supporting a variety of standard hardware configurations and seven major hypervisors.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: Red Hat OpenStack Platform 16.2 (openstack-nova) security update
Advisory ID: RHSA-2023:1948-01
Product: Red Hat OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1948
Issue date: 2023-04-26
CVE Names: CVE-2022-37394
=====================================================================
- Summary:
An update for openstack-nova is now available for Red Hat OpenStack
Platform 16.2 (Train).
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat OpenStack Platform 16.2 - noarch
- Description:
OpenStack Compute (codename Nova) is open source software designed
to provision and manage large networks of virtual machines,creating a
redundant and scalable cloud computing platform. It gives you the software,
control panels, and APIs required to orchestrate a cloud, including running
instances, managing networks, and controlling access through users and
projects.OpenStack Compute strives to be both hardware and hypervisor
agnostic, currently supporting a variety of standard hardware
configurations and seven major hypervisors.
Security Fix(es):
- Compute service fails to restart if the vnic_type of a bound port changed
from direct to macvtap (CVE-2022-37394)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2051631 - Fresh deployment - nova api calls timing out
2075467 - Ensure that at startup nova-compute cleans up unavailable PCI devices from the DB that are not reported from the hypervisor
2084239 - nova host-evacuation returns erroneous pci addresses and an error: Unable to correlate PCI slot
2088676 - [OSP16.2] while live-migrating many instances concurrently, libvirt sometimes return internal error: migration was active, but no RAM info was set
2117333 - CVE-2022-37394 openstack-nova: Compute service fails to restart if the vnic_type of a bound port changed from direct to macvtap
2138381 - [OSP 16.2] Unacceptable CPU info: CPU doesn’t have compatibility
2140992 - 16.2 - Update instance host and task state when post live migration fails
2151410 - [OSP16.2] Invalid bdm record is left when cinder api call to delete a volume attachment times out
2158181 - nova-compute container won’t start when specifying x86_Icelake-Server CPU model
2164970 - Backport “Improving logging at '_allocate_mdevs’.” to 16.2
- Package List:
Red Hat OpenStack Platform 16.2:
Source:
openstack-nova-20.6.2-2.20230308185148.fc01371.el8ost.src.rpm
noarch:
openstack-nova-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
openstack-nova-api-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
openstack-nova-common-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
openstack-nova-compute-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
openstack-nova-conductor-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
openstack-nova-console-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
openstack-nova-migration-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
openstack-nova-novncproxy-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
openstack-nova-scheduler-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
openstack-nova-serialproxy-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
openstack-nova-spicehtml5proxy-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
python3-nova-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-37394
https://access.redhat.com/security/updates/classification/#low
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZEllEdzjgjWX9erEAQgTvhAAjGticFLuy8AG55llEeoIZHQzOMKuwwKU
YsNi6IHQ358JmeTL7E1Nh3ibdbI4NI+pibgosxcH170GF9f2f3CB+EnHWqz/ZUwg
ZpqKXEBPRNRM9HsdYfryONt9JIyWb9UTsLCYt4A69SPvr9KE+iJRsvD+UyCa6opo
mELmOAVihPUFSzhuGkcGuc067jkI7QLzJNWxqtgWoXBCBUmLVIyyHmSwToEDH1Sw
FwUlvKoAaiR1e5kF6Mv9woAQHDyQeOAc2MHTWEhstjDQJEHSp9PDZwQt/zWHUW9I
FEv67oZeF32PWk5Y+2HhCYSzv5v9kq3xwG8BO2gEjSGpRq4QBJ0pmquCtZMX3W+p
MPthunQB6JaWk5tjophesotAD1GMO7WD6YzZscAjH/8Nnn1JkzCea3mn5LmEMShA
CPUUFrUjHddCocCWvLd3IqyTMnNwwl9hBYobYkGSlEAzpURkDj4Snij2lAjgcKyT
kr/6+nbCQQRV9/3fdNqj+KATENkhpG2XuYD9RYybRuZdH4cNahezm6C3Q/1CcT2n
1saTKvXGLO0kDdHtJ3HKlxyvNadUUrSRoxOhbLc09jmBNgkBP8N7XOtConwFcTss
wZ4mH0eMU275/JI9X15+cqQvbCm/C6Caaz9dF2JViAJ+vEsgGD2FbUbuLnFkTMWw
mypEl0lrmxQ=
=sJy4
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
An update for openstack-nova is now available for Red Hat OpenStack Platform 16.2 (Train). Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-37394: An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 24.1.2, and 25.x before 25.0.2. By creating a neutron port with the direct vnic_type, creating an instance bound to that port, and then changing the vnic_type of the bound port to macvtap, an authenticated user may cause the compute service to fail to restart, res...
Ubuntu Security Notice 5866-1 - It was discovered that Nova did not properly manage data logged into the log file. An attacker with read access to the service's logs could exploit this issue and may obtain sensitive information. This issue only affected Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. It was discovered that Nova did not properly handle attaching and reattaching the encrypted volume. An attacker could possibly use this issue to perform a denial of service attack. This issue only affected Ubuntu 16.04 ESM.
An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 24.1.2, and 25.x before 25.0.2. By creating a neutron port with the direct vnic_type, creating an instance bound to that port, and then changing the vnic_type of the bound port to macvtap, an authenticated user may cause the compute service to fail to restart, resulting in a possible denial of service. Only Nova deployments configured with SR-IOV are affected.