Red Hat Security Advisory 2015-0841-01 – The Red Hat Support plug-in for Red Hat OpenStack is a Technology Preview feature which offers seamless integrated access to Red Hat subscription services from the Red Hat OpenStack administration portal. The plug-in provides automated functionality that enables quicker help, answers, and proactive services. It offers easy and instant access to Red Hat exclusive knowledge, resources, engagement, and diagnostic features. It was found that the local log-viewing function of the redhat-access-plugin for OpenStack Dashboard did not sanitize user input. An authenticated user could use this flaw to read an arbitrary file with the permissions of the web server.

Red Hat Security Advisory 2015-0844-01 – OpenStack Compute launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform. Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances and controlling access through users and projects. It was discovered that the OpenStack Compute console websocket did not correctly verify the origin header. An attacker could use this flaw to conduct a cross-site websocket hijack attack. Note that only Compute setups with VNC or SPICE enabled were affected by this flaw.

HP Security Bulletin HPSBMU03264 1 – Potential security vulnerabilities have been identified with HP Network Automation. These include Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), clickjacking and other vulnerabilities which can be used to create remote exploits. Revision 1 of this advisory.

Debian Linux Security Advisory 3228-1 – Emanuele Rocca discovered that ppp, a daemon implementing the Point-to-Point Protocol, was subject to a buffer overflow when communicating with a RADIUS server. This would allow unauthenticated users to cause a denial-of-service by crashing the daemon.

Red Hat Security Advisory 2015-0839-01 – OpenStack Dashboard provides administrators and users a graphical interface to access, provision and automate cloud-based resources. The dashboard allows cloud administrators to get an overall view of the size and state of the cloud and it provides end-users a self-service portal to provision their own resources within the limits set by administrators. A denial of service flaw was found in the OpenStack Dashboard when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.

Red Hat Security Advisory 2015-0837-01 – OpenStack Image service provides discovery, registration, and delivery services for disk and server images. It provides the ability to copy or snapshot a server image, and immediately store it away. Stored images can be used as a template to get new servers up and running quickly and more consistently than installing a server operating system and individually configuring additional services. A storage quota bypass flaw was found in OpenStack Image. If an image was deleted while it was being uploaded, it would not count towards a user’s quota. A malicious user could use this flaw to deliberately fill the backing store, and cause a denial of service.

Red Hat Security Advisory 2015-0845-01 – OpenStack Dashboard provides administrators and users a graphical interface to access, provision and automate cloud-based resources. The dashboard allows cloud administrators to get an overall view of the size and state of the cloud and it provides end-users a self-service portal to provision their own resources within the limits set by administrators. A denial of service flaw was found in the OpenStack Dashboard when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.

Red Hat Security Advisory 2015-0843-01 – OpenStack Compute launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform. Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances and controlling access through users and projects. It was discovered that the OpenStack Compute console websocket did not correctly verify the origin header. An attacker could use this flaw to conduct a cross-site websocket hijack attack. Note that only Compute setups with VNC or SPICE enabled were affected by this flaw.

Red Hat Security Advisory 2015-0840-01 – The Red Hat Support plug-in for Red Hat OpenStack is a Technology Preview feature which offers seamless integrated access to Red Hat subscription services from the Red Hat OpenStack administration portal. The plug-in provides automated functionality that enables quicker help, answers, and proactive services. It offers easy and instant access to Red Hat exclusive knowledge, resources, engagement, and diagnostic features. It was found that the local log-viewing function of the redhat-access-plugin for OpenStack Dashboard did not sanitize user input. An authenticated user could use this flaw to read an arbitrary file with the permissions of the web server.

Red Hat Security Advisory 2015-0838-01 – OpenStack Image service provides discovery, registration, and delivery services for disk and server images. It provides the ability to copy or snapshot a server image, and immediately store it away. Stored images can be used as a template to get new servers up and running quickly and more consistently than installing a server operating system and individually configuring additional services. A storage quota bypass flaw was found in OpenStack Image. If an image was deleted while it was being uploaded, it would not count towards a user’s quota. A malicious user could use this flaw to deliberately fill the backing store, and cause a denial of service.