Executive Summary

Titleopenstack-heat security, bug fix, and enhancement update
NameRHSA-2017:1243First vendor Publication2017-05-17
VendorRedHatLast vendor Modification2017-05-17
Severity (Vendor) N/ARevision01

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score2.1Attack RangeLocal
Cvss Impact Score2.9Attack ComplexityLow
Cvss Expoit Score3.9AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores


Problem Description:

An update for openstack-heat is now available for Red Hat OpenStack Platform 10.0 (Newton).

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 10.0 - noarch

3. Description:

OpenStack Orchestration (heat) is a template-driven engine used to specify and deploy configurations for Compute, Storage, and OpenStack Networking. The service can be used to automate post-deployment actions, which in turn allows automated provisioning of infrastructure, services, and applications. Additionally, Orchestration can be integrated with Telemetry alarms to implement auto-scaling for certain infrastructure resources.

The following packages have been upgraded to a later upstream version: openstack-heat (7.0.2). (BZ#1431258)

Security Fix(es):

* An access-control flaw was found in the OpenStack Orchestration (heat) service where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information. (CVE-2017-2621)

Red Hat would like to thank Hans Feldt (Ericsson) for reporting this issue.

4. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:


5. Bugs fixed (https://bugzilla.redhat.com/):

1420990 - CVE-2017-2621 openstack-heat: /var/log/heat/ is world readable 1424578 - Heat doesn't inject personality files on rebuild 1424886 - Password written in clear text in heat-api.log with DEBUG mode [openstack-10] 1428632 - OpenStack Heat may fail to connect keystone admin API in multi-region environment 1428877 - [UPDATES] ERROR: The "pre-update" hook is not defined on SoftwareDeployment "UpdateDeployment" 1431258 - Rebase openstack-heat to stable/newton hash 6533b3d

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2017-1243.html

CWE : Common Weakness Enumeration

100 %CWE-532Information Leak Through Log Files

CPE : Common Platform Enumeration


Alert History

If you want to see full details history, please login or register.
2018-09-25 00:22:14
  • Multiple Updates
2018-07-29 09:21:23
  • Multiple Updates
2017-05-18 00:20:19
  • First insertion