Headline
Red Hat Security Advisory 2022-6969-01
Red Hat Security Advisory 2022-6969-01 - An update for tripleo-ansible is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat OpenStack Platform (tripleo-ansible) security update
Advisory ID: RHSA-2022:6969-01
Product: Red Hat OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6969
Issue date: 2022-10-17
CVE Names: CVE-2022-3101 CVE-2022-3146
====================================================================
- Summary:
An update for tripleo-ansible is now available for Red Hat OpenStack
Platform.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat OpenStack Platform 16.1 - noarch
Red Hat OpenStack Platform 16.2 - noarch
- Description:
TripleO Ansible project repository. Contains playbooks for use with TripleO
OpenStack deployments. https://opendev.org
Security Fix(es):
/var/lib/mistral/overcloud discoverable (CVE-2022-3101)
/etc/openstack/clouds.yaml discoverable (CVE-2022-3146)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
- Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2120660 - CVE-2022-3101 tripleo-ansible: File permissions are too liberal on a director deployment [openstack-16.2]
2123767 - CVE-2022-3146 tripleo-ansible: /etc/openstack/clouds.yaml got 644 permission [openstack-16.2]
2123870 - CVE-2022-3101 tripleo-ansible: /var/lib/mistral/overcloud discoverable
2124721 - CVE-2022-3146 tripleo-ansible: /etc/openstack/clouds.yaml discoverable
2124732 - CVE-2022-3146 tripleo-ansible: /etc/openstack/clouds.yaml got 644 permission [openstack-16.1]
2130109 - ceph inventory linking fails with permission issues
2130598 - ceph inventory linking fails with permission issues
- Package List:
Red Hat OpenStack Platform 16.1:
Source:
openstack-tripleo-common-11.4.1-1.20211201113404.el8ost.src.rpm
openstack-tripleo-heat-templates-11.3.2-1.20220114223346.el8ost.src.rpm
tripleo-ansible-0.5.1-1.20220114163454.el8ost.src.rpm
noarch:
openstack-tripleo-common-11.4.1-1.20211201113404.el8ost.noarch.rpm
openstack-tripleo-common-container-base-11.4.1-1.20211201113404.el8ost.noarch.rpm
openstack-tripleo-common-containers-11.4.1-1.20211201113404.el8ost.noarch.rpm
openstack-tripleo-common-devtools-11.4.1-1.20211201113404.el8ost.noarch.rpm
openstack-tripleo-heat-templates-11.3.2-1.20220114223346.el8ost.noarch.rpm
python3-tripleo-common-11.4.1-1.20211201113404.el8ost.noarch.rpm
tripleo-ansible-0.5.1-1.20220114163454.el8ost.noarch.rpm
Red Hat OpenStack Platform 16.2:
Source:
openstack-tripleo-common-11.7.1-2.20220318011206.el8ost.src.rpm
openstack-tripleo-heat-templates-11.6.1-2.20220409014870.el8ost.src.rpm
tripleo-ansible-0.8.1-2.20220406160116.el8ost.src.rpm
noarch:
openstack-tripleo-common-11.7.1-2.20220318011206.el8ost.noarch.rpm
openstack-tripleo-common-container-base-11.7.1-2.20220318011206.el8ost.noarch.rpm
openstack-tripleo-common-containers-11.7.1-2.20220318011206.el8ost.noarch.rpm
openstack-tripleo-common-devtools-11.7.1-2.20220318011206.el8ost.noarch.rpm
openstack-tripleo-heat-templates-11.6.1-2.20220409014870.el8ost.noarch.rpm
python3-tripleo-common-11.7.1-2.20220318011206.el8ost.noarch.rpm
tripleo-ansible-0.8.1-2.20220406160116.el8ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-3101
https://access.redhat.com/security/cve/CVE-2022-3146
https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY01tTtzjgjWX9erEAQietQ/9F9yZlY9G04oLYTUz/82AcyNJdjKGEqgM
5APs6Pu1Dy65KoV77pBUIYgDfzqX61JLPf7w6A/RuShRTUr2GVoj9Mf7r7n+xBjH
FwrCWygRzNSh68ZAYouLtIQgRbm0uP097ySyQpe/TQY6X6tlH+fUVFiAy8UgvuoW
WZ1W9cVBsJVVP6gD145TMZtlkRC9xQ7vajVOJH3l9TrwLqw/CSrfJLCXqA5C9z7G
6AJ66TZGNEaMMQ/sWDBJja4y8jkIxbR2K75Cq36rsxifUWLSgZOEa90eejptxz5F
l13HKFThfwJmgZ+KwppFLvMhI4lrtAdwcgBOgK3iGJ25exFm4ZCXG7V8x8QbxeNn
KNa8Dz+MwdxzJkg946jIiLUqgNgKXn4rXXFfCFBYfks+jU8kKAcW8Jqld/Z7rcZ3
SIB5/sqKQnYjYpwf3Wm61Giy6l0jU/qqidIaVXf65klYZq8+HeA2wcFvGnDsMbWm
sd4GctIb0LEsDfVYp2OocIsbmywFqxEI5if/Zva02Rao/AZaB1KieviAlripNeeE
2S+P3E2NNFlbqJvMMhtkNomHZaGiGhz2UzdMHjEdeKR3U1L1EylQcyDqqMQHRF/F
DW51qj28YUn6WBJFG7YO/zdMvepS3HU8S/x/4x2j90ooh+2pFrFNJMABR9Tdz5Yb
YYZ6btlYW78=bZIq
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information disclosure of important configuration details from the OpenStack deployment.
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of important configuration details from the OpenStack deployment.
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of important configuration details from the OpenStack deployment.
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information disclosure of important configuration details from the OpenStack deployment.
An update for tripleo-ansible is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3101: tripleo-ansible: /var/lib/mistral/overcloud discoverable * CVE-2022-3146: tripleo-ansible: /etc/openstack/clouds.yaml discoverable
An update for tripleo-ansible is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3101: tripleo-ansible: /var/lib/mistral/overcloud discoverable * CVE-2022-3146: tripleo-ansible: /etc/openstack/clouds.yaml discoverable