Red Hat Patches Three Serious Ansible Flaws in Its OpenStack Distribution
Red Hat has released security updates for its OpenStack Platform in order to fix a number of vulnerabilities of important and moderate severity. If left unpatched, the flaws could allow attackers to execute arbitrary code in the context of several services, escape from virtual machines, access sensitive information or gain higher privileges.
The Ansible package in the Red Hat OpenStack Platform 11.0 was updated to fix three vulnerabilities, one of which is rated as high severity, with a score of eight out of 10 in the Common Vulnerability Scoring System (CVSS).
Ansible is an SSH-based remote task execution system used by administrators to automate application deployment and configuration management. The most serious vulnerability, tracked as CVE-2017-7466, stems from a failure to properly validate data sent from Ansible managed client systems to the server. Successful exploitation can result in arbitrary code execution with the server’s privileges.
The other two flaws patched in Ansible can lead to information disclosure (CVE-2017-7473) and code execution through the jinja2 Python templating system, which is marked as unsafe by default (CVE-2017-7481).
The Red Hat Enterprise Linux OpenStack Platform 5.0 for RHEL 6 received an update for the qemu-kvm-rhev package to fix four important vulnerabilities. This package contains the components needed to run virtual machines in the KVM (Kernel-based Virtual Machine) mode.
Two vulnerabilities, CVE-2016-9603 and CVE-2017-7980, are located in the QEMU’s Cirrus CLGD 54xx VGA emulator’s VNC display driver and the Cirrus CLGD 54xx VGA Emulator support. Both of them can be exploited by a privileged user from a guest operating system to break out of the virtual machine and execute arbitrary code on the host system with the privileges of the QEMU process.
Two other vulnerabilities, CVE-2017-2633 and CVE-2017-7718, could be exploited by a privileged guest OS user to crash the QEMU process, resulting in a denial-of-service condition.
After installing the qemu-kvm-rhev package update, all QEMU virtual machines should be shut down and started up again in order for the patches to take effect, Red Hat said in its security advisory.
A vulnerability that could allow attackers to execute cross-site scripting (XSS) attacks against the OpenStack dashboard was fixed in the python-django package for Red Hat OpenStack Platform 6.0, 7.0, 8.0 and 9.0. The flaw (CVE-2017-7233) has moderate severity and is the result of improper sanitization of user input in the is_safe_url() function.
Another moderate severity vulnerability (CVE-2017-2673) was fixed in the openstack-keystone package for Red Hat OpenStack Platform 9.0. Keystone is the OpenStack identity service that handles user authentication and authorization and limits user activities based on their assigned roles. The fixed vulnerability could result in a user who requests permissions to a project to inadvertently be granted permissions for all roles, including the administrative one.
The OpenStack Orchestration package, Heat, was also updated in Red Hat OpenStack Platform 9.0 to fix two vulnerabilities that could allow attackers to access sensitive information through the service log directory (CVE-2017-2621) and to obtain information about internal network services by triggering an overly detailed error message (CVE-2016-9185).
Instructions on obtaining and applying updates through the Red Hat Subscription Management (RHSM) or the Red Hat Network (RHN) Classic services are provided in a support article on Red Hat’s website.
Red Hat and OpenStack are sponsors of The New Stack.
Feature image via Pixabay.
