Headline
RHSA-2023:1948: Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 (openstack-nova) security update
An update for openstack-nova is now available for Red Hat OpenStack Platform 16.2 (Train). Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-37394: An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 24.1.2, and 25.x before 25.0.2. By creating a neutron port with the direct vnic_type, creating an instance bound to that port, and then changing the vnic_type of the bound port to macvtap, an authenticated user may cause the compute service to fail to restart, resulting in a possible denial of service. Only Nova deployments configured with SR-IOV are affected.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-04-26
Updated:
2023-04-26
RHSA-2023:1948 - Security Advisory
- Overview
- Updated Packages
Synopsis
Low: Red Hat OpenStack Platform 16.2 (openstack-nova) security update
Type/Severity
Security Advisory: Low
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for openstack-nova is now available for Red Hat OpenStack
Platform 16.2 (Train).
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Description
OpenStack Compute (codename Nova) is open source software designed
to provision and manage large networks of virtual machines,creating a
redundant and scalable cloud computing platform. It gives you the software,
control panels, and APIs required to orchestrate a cloud, including running
instances, managing networks, and controlling access through users and
projects.OpenStack Compute strives to be both hardware and hypervisor
agnostic, currently supporting a variety of standard hardware
configurations and seven major hypervisors.
Security Fix(es):
- Compute service fails to restart if the vnic_type of a bound port changed
from direct to macvtap (CVE-2022-37394)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Affected Products
- Red Hat OpenStack for IBM Power 16.2 ppc64le
- Red Hat OpenStack 16.2 x86_64
Fixes
- BZ - 2051631 - Fresh deployment - nova api calls timing out
- BZ - 2075467 - Ensure that at startup nova-compute cleans up unavailable PCI devices from the DB that are not reported from the hypervisor
- BZ - 2084239 - nova host-evacuation returns erroneous pci addresses and an error: Unable to correlate PCI slot
- BZ - 2088676 - [OSP16.2] while live-migrating many instances concurrently, libvirt sometimes return internal error: migration was active, but no RAM info was set
- BZ - 2117333 - CVE-2022-37394 openstack-nova: Compute service fails to restart if the vnic_type of a bound port changed from direct to macvtap
- BZ - 2138381 - [OSP 16.2] Unacceptable CPU info: CPU doesn’t have compatibility
- BZ - 2140992 - 16.2 - Update instance host and task state when post live migration fails
- BZ - 2151410 - [OSP16.2] Invalid bdm record is left when cinder api call to delete a volume attachment times out
- BZ - 2158181 - nova-compute container won’t start when specifying x86_Icelake-Server CPU model
- BZ - 2164970 - Backport “Improving logging at '_allocate_mdevs’.” to 16.2
Red Hat OpenStack for IBM Power 16.2
SRPM
openstack-nova-20.6.2-2.20230308185148.fc01371.el8ost.src.rpm
SHA-256: e7382977e9353ea2ec52ec6ae5e65facc368131c078e22a17a84acdfd34d3814
ppc64le
openstack-nova-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 14fe9c3c74a56dccd5f2f360b6e90642bbbc73b1169accc543c9a2451bb4dc9b
openstack-nova-api-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: df28d869f158ecc71396164b6063621e9f6facbf669b1993ccca536dd2d4aed9
openstack-nova-common-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 84b45695ca5a544d6655ccb0a8a65c21085fcbb5a8c6a4c4ef9b6eedd1c7e0fd
openstack-nova-compute-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 1cb04af92a1a4bdf0109a6c264124efc5ff0ca4b50acb02c9058cd65867ac9d9
openstack-nova-conductor-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 5c2000a6117cb705635572047f1f75ca1ab1b3650616236939884024ae3cff1d
openstack-nova-console-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 5e6e5ef3af7ef9ccd2d83f729f24a0f24902e1cfbca3847ea3a8948d4d58ccba
openstack-nova-migration-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: d0adacd4b25b687048ddbe446854a1c5335db2cc7e64faf76a6e176d94ef0514
openstack-nova-novncproxy-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 5ad9f0dee1a70b7aee26c97cf91dfd6b69db4dd32c4b3aaba086606f55c2e683
openstack-nova-scheduler-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: e7a44a06746f3dc9fb48a96b1b591677a3c6d669c04ad8362cdce7e272140bc7
openstack-nova-serialproxy-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 2cc993fa6ce3aa3f0387972222aec51c6bd25d2bac14fd4c0ddbedf066ee02f5
openstack-nova-spicehtml5proxy-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: bb18350853e07f6322bd9c0868d36152457f57ec39f44408b8224f15eeb71398
python3-nova-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 910321ccb16b6cdacd6e29dd4d620c3d767b14ba017409244692dd0f62d7bb11
Red Hat OpenStack 16.2
SRPM
openstack-nova-20.6.2-2.20230308185148.fc01371.el8ost.src.rpm
SHA-256: e7382977e9353ea2ec52ec6ae5e65facc368131c078e22a17a84acdfd34d3814
x86_64
openstack-nova-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 14fe9c3c74a56dccd5f2f360b6e90642bbbc73b1169accc543c9a2451bb4dc9b
openstack-nova-api-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: df28d869f158ecc71396164b6063621e9f6facbf669b1993ccca536dd2d4aed9
openstack-nova-common-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 84b45695ca5a544d6655ccb0a8a65c21085fcbb5a8c6a4c4ef9b6eedd1c7e0fd
openstack-nova-compute-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 1cb04af92a1a4bdf0109a6c264124efc5ff0ca4b50acb02c9058cd65867ac9d9
openstack-nova-conductor-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 5c2000a6117cb705635572047f1f75ca1ab1b3650616236939884024ae3cff1d
openstack-nova-console-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 5e6e5ef3af7ef9ccd2d83f729f24a0f24902e1cfbca3847ea3a8948d4d58ccba
openstack-nova-migration-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: d0adacd4b25b687048ddbe446854a1c5335db2cc7e64faf76a6e176d94ef0514
openstack-nova-novncproxy-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 5ad9f0dee1a70b7aee26c97cf91dfd6b69db4dd32c4b3aaba086606f55c2e683
openstack-nova-scheduler-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: e7a44a06746f3dc9fb48a96b1b591677a3c6d669c04ad8362cdce7e272140bc7
openstack-nova-serialproxy-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 2cc993fa6ce3aa3f0387972222aec51c6bd25d2bac14fd4c0ddbedf066ee02f5
openstack-nova-spicehtml5proxy-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: bb18350853e07f6322bd9c0868d36152457f57ec39f44408b8224f15eeb71398
python3-nova-20.6.2-2.20230308185148.fc01371.el8ost.noarch.rpm
SHA-256: 910321ccb16b6cdacd6e29dd4d620c3d767b14ba017409244692dd0f62d7bb11
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-1948-01 - OpenStack Compute is open source software designed to provision and manage large networks of virtual machines,creating a redundant and scalable cloud computing platform. It gives you the software, control panels, and APIs required to orchestrate a cloud, including running instances, managing networks, and controlling access through users and projects.OpenStack Compute strives to be both hardware and hypervisor agnostic, currently supporting a variety of standard hardware configurations and seven major hypervisors.
Ubuntu Security Notice 5866-1 - It was discovered that Nova did not properly manage data logged into the log file. An attacker with read access to the service's logs could exploit this issue and may obtain sensitive information. This issue only affected Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. It was discovered that Nova did not properly handle attaching and reattaching the encrypted volume. An attacker could possibly use this issue to perform a denial of service attack. This issue only affected Ubuntu 16.04 ESM.
An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 24.1.2, and 25.x before 25.0.2. By creating a neutron port with the direct vnic_type, creating an instance bound to that port, and then changing the vnic_type of the bound port to macvtap, an authenticated user may cause the compute service to fail to restart, resulting in a possible denial of service. Only Nova deployments configured with SR-IOV are affected.