Headline
RHSA-2023:3157: Red Hat Security Advisory: Red Hat OpenStack Platform 17.0 security update
An update for openstack-nova is now available for Red Hat OpenStack Platform 17.0 (Wallaby). Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-2088: A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-17
Updated:
2023-05-17
RHSA-2023:3157 - Security Advisory
- Overview
- Updated Packages
Synopsis
Critical: Red Hat OpenStack Platform 17.0 security update
Type/Severity
Security Advisory: Critical
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for openstack-nova is now available for Red Hat OpenStack
Platform 17.0 (Wallaby).
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Description
Security Fix(es):
- EMBARGOED CVE-2023-2088 openstack-cinder: silently access other user’s
volumes (CVE-2023-2088)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Affected Products
- Red Hat OpenStack 17 x86_64
- Cinderlib 17 x86_64
Fixes
- BZ - 2179587 - CVE-2023-2088 openstack-cinder: silently access other user’s volumes
Red Hat OpenStack 17
SRPM
openstack-cinder-18.2.1-0.20230509200451.1776695.el9ost.src.rpm
SHA-256: 0626b461fc50e8e85d144929806d3799b9506f9b671a8d43207e100b67a5b422
openstack-nova-23.2.2-0.20221209190754.7074ac0.el9ost.src.rpm
SHA-256: 25fb7b8ba8e64691f59a72c576b8dd816ab6682c625a61ab6259d8a745582b08
python-glance-store-2.5.1-0.20230509140449.5f1cee6.el9ost.src.rpm
SHA-256: 1b47180baf52d48c520e3c03b07a7208dbabfcc497bd7dbdc0f05e66a9d83132
python-os-brick-4.3.3-0.20220715140803.d09dc9e.el9ost.src.rpm
SHA-256: b784c6ad3eeadd8830c46d23f82884e10cc79a28c866fcf88634ea8454852d9b
tripleo-ansible-3.3.1-0.20221208161844.fa5422f.el9ost.src.rpm
SHA-256: 1ac535827794007ebddcb42108630556a8f790b4b1f01376afb1c7e9d3779d60
x86_64
openstack-cinder-18.2.1-0.20230509200451.1776695.el9ost.noarch.rpm
SHA-256: 8bc961b6b88daee116c07b74434bbc69dbf995e5e7f9d4df40e7ad291ae0526b
openstack-nova-23.2.2-0.20221209190754.7074ac0.el9ost.noarch.rpm
SHA-256: 0e777bffee205d3fcffdd1fbaa4002cb08303da4dc2d4e7d1fab85a63b7abb61
openstack-nova-api-23.2.2-0.20221209190754.7074ac0.el9ost.noarch.rpm
SHA-256: 597303c0fe7d3b9d04860e38d4ed253e38c01f12df17faeb9d0b6cbef0cdd959
openstack-nova-common-23.2.2-0.20221209190754.7074ac0.el9ost.noarch.rpm
SHA-256: 761336554245c9ef06f4455e7a38cb2866c25c704ca17e2b93213375ae07518c
openstack-nova-compute-23.2.2-0.20221209190754.7074ac0.el9ost.noarch.rpm
SHA-256: 74545b5a0660525b92cca7b18e0d571a1327c3a8fbc1bdb463fde0a6e45b94b4
openstack-nova-conductor-23.2.2-0.20221209190754.7074ac0.el9ost.noarch.rpm
SHA-256: d5939da4f432d30399cb8a7c477ada4ba44543d29f04e6f4b4fe93ce37ffcf2e
openstack-nova-migration-23.2.2-0.20221209190754.7074ac0.el9ost.noarch.rpm
SHA-256: 3e26fe2b60c69a5f2957f7d858899fe54212754ed730116bb7a82f944e57f92c
openstack-nova-novncproxy-23.2.2-0.20221209190754.7074ac0.el9ost.noarch.rpm
SHA-256: 50a73c0e8f6973cb8cc92b67301a962c2e898d383c0c8937fa2cbb1a948c6d30
openstack-nova-scheduler-23.2.2-0.20221209190754.7074ac0.el9ost.noarch.rpm
SHA-256: 03724264c15db69dbec9ddea760066e7bf7e535bb2cdbbc06056e326ad1e5219
openstack-nova-serialproxy-23.2.2-0.20221209190754.7074ac0.el9ost.noarch.rpm
SHA-256: 3bcf25f24ce3ebe97acf22746852d650ce48f95fa5634e51ee61973757f58a2c
openstack-nova-spicehtml5proxy-23.2.2-0.20221209190754.7074ac0.el9ost.noarch.rpm
SHA-256: 362ec76706a6cf35c0ed2b3b6249dc832d77fd16d26a010863d30e5956bbff83
python3-cinder-18.2.1-0.20230509200451.1776695.el9ost.noarch.rpm
SHA-256: 5f2cc1ab80b12d56e82ce5a6886c0d4a0cb50f5ac23739e871f69581c762f660
python3-cinder-common-18.2.1-0.20230509200451.1776695.el9ost.noarch.rpm
SHA-256: 94372b1280ebd6ff1c1bae63f9f24c5b784c44692d0fd4ba54d9212502ccc2e3
python3-glance-store-2.5.1-0.20230509140449.5f1cee6.el9ost.noarch.rpm
SHA-256: f8e4edd6bc8ded20a9e379eb4e63426850e1e6b3d42fbc05ab98c926b7a4f421
python3-nova-23.2.2-0.20221209190754.7074ac0.el9ost.noarch.rpm
SHA-256: d92b6eea5ae6eddb28a897108769f6292aaac2403712c3753b82f0aa5979bffa
python3-os-brick-4.3.3-0.20220715140803.d09dc9e.el9ost.noarch.rpm
SHA-256: 4006b67a2d16b1ab8164be2bbab46763e261722a57be6c162a6044e61bcadb6d
tripleo-ansible-3.3.1-0.20221208161844.fa5422f.el9ost.noarch.rpm
SHA-256: f3d66875f6d8cb237f3915174921bdd1232270e4a9846477ec81a04e3b8be5ce
Cinderlib 17
SRPM
openstack-cinder-18.2.1-0.20230509200451.1776695.el9ost.src.rpm
SHA-256: 0626b461fc50e8e85d144929806d3799b9506f9b671a8d43207e100b67a5b422
python-os-brick-4.3.3-0.20220715140803.d09dc9e.el9ost.src.rpm
SHA-256: b784c6ad3eeadd8830c46d23f82884e10cc79a28c866fcf88634ea8454852d9b
x86_64
python3-cinder-common-18.2.1-0.20230509200451.1776695.el9ost.noarch.rpm
SHA-256: 94372b1280ebd6ff1c1bae63f9f24c5b784c44692d0fd4ba54d9212502ccc2e3
python3-os-brick-4.3.3-0.20220715140803.d09dc9e.el9ost.noarch.rpm
SHA-256: 4006b67a2d16b1ab8164be2bbab46763e261722a57be6c162a6044e61bcadb6d
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-3161-01 - An update for openstack-nova is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Critical.
Red Hat Security Advisory 2023-3158-01 - An update for openstack-nova is now available for Red Hat OpenStack Platform 16.2 (Train). Red Hat Product Security has rated this update as having a security impact of Critical.
Red Hat Security Advisory 2023-3157-01 - An update for openstack-nova is now available for Red Hat OpenStack Platform 17.0 (Wallaby). Red Hat Product Security has rated this update as having a security impact of Critical.
Red Hat Security Advisory 2023-3156-01 - An update for openstack-nova is now available for Red Hat OpenStack Platform 16.1 (Train). Red Hat Product Security has rated this update as having a security impact of Critical.
An update for openstack-nova is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-2088: A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.
An update for openstack-nova is now available for Red Hat OpenStack Platform 16.2 (Train). Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-2088: A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.
An update for openstack-nova is now available for Red Hat OpenStack Platform 16.1 (Train). Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-2088: A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.
A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.
Ubuntu Security Notice 6073-3 - Jan Wasilewski and Gorka Eguileor discovered that Nova incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.
Ubuntu Security Notice 6073-1 - Jan Wasilewski and Gorka Eguileor discovered that Cinder incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.
Ubuntu Security Notice 6073-4 - Jan Wasilewski and Gorka Eguileor discovered that os-brick incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.
Ubuntu Security Notice 6073-2 - Jan Wasilewski and Gorka Eguileor discovered that Glance_store incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.