Headline
RHSA-2022:0999: Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 (openstack-nova) security update
An update for openstack-nova is now available for Red Hat OpenStack Platform 16.2 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2021-3654: openstack-nova: novnc allows open redirection
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
- Red Hat CodeReady Studio
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-03-23
Updated:
2022-03-23
RHSA-2022:0999 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: Red Hat OpenStack Platform 16.2 (openstack-nova) security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for openstack-nova is now available for Red Hat OpenStack
Platform 16.2 (Train).
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Description
OpenStack Compute (codename Nova) is open source software designed
to provision and manage large networks of virtual machines,creating a
redundant and scalable cloud computing platform. It gives you the software,
control panels, and APIs required to orchestrate a cloud, including running
instances, managing networks, and controlling access through users and
projects.OpenStack Compute strives to be both hardware and hypervisor
agnostic, currently supporting a variety of standard hardware
configurations and seven major hypervisors.
Security Fix(es):
- novnc allows open redirection (CVE-2021-3654)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Bug Fix(es):
- Red Hat OpenStack Platform (RHOSP) does not support the use of a fully qualified domain name (FQDN) as the instance display name in a boot server request. The instance display name is passed from the boot server request to the `instance.hostname` field. Some customers use this unsupported naming in their workflows.
A recent update [1] now sanitizes the `instance.hostname` field. The sanitization steps include replacing periods with dashes, a replacement that makes it impossible to continue using the unsupported FQDN instance display names.
This update provides a temporary workaround for customers who use a fully qualified domain name (FQDN) as the instance display name in a boot server request. It limits the scope of the sanitization to cases where the instance display name ends with a period followed by one or more numeric digits.
If you use FQDN as the instance display name in a boot server request, modify your workflow before upgrading to RHOSP 17. (BZ#2036652)
Affected Products
- Red Hat OpenStack 16.2 x86_64
- Red Hat OpenStack for IBM Power 16.2 ppc64le
Fixes
- BZ - 1729485 - [OSP16.2] “Invalid PCI devices Whitelist config error” configuring passthrough_whitelist with new 40Gb NICs due domain in PCI address is greater than FFFF
- BZ - 1908405 - Nova is out of sync with ironic as hypervisor list in nova does not agree with ironic list after reboot of the nodes
- BZ - 1915096 - [OSP16.2] NUMA instance spawn fails on get_best_cpu_topology when there is no ‘threads’ preference
- BZ - 1961439 - CVE-2021-3654 openstack-nova: novnc allows open redirection
- BZ - 1968735 - [OSP16.2][neutron]http_retries config option value not being used for calls to the port binding API
- BZ - 1972706 - [OSP 16.2] After host reboot VM goes to error state due to nova-compute EmptyCatalog error
- BZ - 1987225 - Compute service DOWN after FFU from RHOSP13 to 16.1 because service version is still 30.
- BZ - 1992863 - [OSP 16.2] Avoid duplicate BDMs during reserve_block_device_name
- BZ - 1998556 - [OSP 16.2] Attempting to start or hard reboot a users instance as an admin with encrypted rbd volumes leaves the instance unbootable
- BZ - 1999583 - [OSP 16.2] Provide a workaround option and/or nova-manage command to force the refresh of connection_info during a hard reboot
- BZ - 2036652 - [HOTFIX] [OSP 16.2] - option for disabling FIX on instance name sanity check
- BZ - 2036690 - If an upper case mac address is used in a heat template, live migration won’t work in nova
Red Hat OpenStack 16.2
SRPM
openstack-nova-20.6.2-2.20220112164912.8906554.el8ost.src.rpm
SHA-256: ee31c0207b1dcfeb73d9826940131adcd80f55724e2cee6f3d0ea6acae1fd874
x86_64
openstack-nova-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: d7da2cc615dcc22d7d3b0421cce04460da23c386a7b0fdd2a9e8d87981fa6d38
openstack-nova-api-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: f253fd0ac3be1d81737b96eac53834fee800fcf8985701ca5d2fd5d679061055
openstack-nova-common-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 225abdc9bee1cd04a51af53247bf6f445795613ba55f4253dd146e50fadc3ec3
openstack-nova-compute-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 1d15a81a66a89f47c0b1887dff041d693cc00fdd91ef2e52b666bc5320b43d2c
openstack-nova-conductor-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 1a475f8820a65975cc8977066621454eb1adedb493f0edf49df361a5d4d816c5
openstack-nova-console-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 60eba89607816fac656b6218d452fb94e330c7142d97e22b6c94149f5f622e0b
openstack-nova-migration-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 7399953eace53a5cb21f638f40a974ef3ffbc8a8b65827e78c225534255a8981
openstack-nova-novncproxy-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: cce02968f2bd01b7bdedc742e111e0e61091df9afe05b6676d58b51f307cb273
openstack-nova-scheduler-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 77c3a1ba97b6166b0f174076f84be24776e9b7ca8fc6c02a69851c0200bd50ab
openstack-nova-serialproxy-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 1b5d64b690df294e4ae880fa9191650ccd0a2bdcfbff217a86b4e0ea20a93ffc
openstack-nova-spicehtml5proxy-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: f529d1790c6eb9805866f350e06f128ed5446ca7611535056e28a5fc3585b095
python3-nova-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 04295d438af2b68b0029eead05a32a7c0f6f8653fd440a371acbcc4662966579
Red Hat OpenStack for IBM Power 16.2
SRPM
openstack-nova-20.6.2-2.20220112164912.8906554.el8ost.src.rpm
SHA-256: ee31c0207b1dcfeb73d9826940131adcd80f55724e2cee6f3d0ea6acae1fd874
ppc64le
openstack-nova-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: d7da2cc615dcc22d7d3b0421cce04460da23c386a7b0fdd2a9e8d87981fa6d38
openstack-nova-api-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: f253fd0ac3be1d81737b96eac53834fee800fcf8985701ca5d2fd5d679061055
openstack-nova-common-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 225abdc9bee1cd04a51af53247bf6f445795613ba55f4253dd146e50fadc3ec3
openstack-nova-compute-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 1d15a81a66a89f47c0b1887dff041d693cc00fdd91ef2e52b666bc5320b43d2c
openstack-nova-conductor-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 1a475f8820a65975cc8977066621454eb1adedb493f0edf49df361a5d4d816c5
openstack-nova-console-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 60eba89607816fac656b6218d452fb94e330c7142d97e22b6c94149f5f622e0b
openstack-nova-migration-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 7399953eace53a5cb21f638f40a974ef3ffbc8a8b65827e78c225534255a8981
openstack-nova-novncproxy-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: cce02968f2bd01b7bdedc742e111e0e61091df9afe05b6676d58b51f307cb273
openstack-nova-scheduler-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 77c3a1ba97b6166b0f174076f84be24776e9b7ca8fc6c02a69851c0200bd50ab
openstack-nova-serialproxy-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 1b5d64b690df294e4ae880fa9191650ccd0a2bdcfbff217a86b4e0ea20a93ffc
openstack-nova-spicehtml5proxy-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: f529d1790c6eb9805866f350e06f128ed5446ca7611535056e28a5fc3585b095
python3-nova-20.6.2-2.20220112164912.8906554.el8ost.noarch.rpm
SHA-256: 04295d438af2b68b0029eead05a32a7c0f6f8653fd440a371acbcc4662966579
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.