Red Hat patches vulnerability in OpenStack subsystem that manages virtual machines
Red Hat recently patched a security glitch in an OpenStack subsystem used to provision network services to virtual machines (VMs), which could have given hackers access to network resources if gone unnoticed.
Red Hat dubbed the incident a “race-condition flaw” found in openstack-neutron, a feature of the Red Hat Openstack Platform that manages VMs, where network security groups were disabled in wake of a security update. The vulnerability is tracked as CVE-2017-7543 in the Common Vulnerabilities and Exposures (CVE) database.
“The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources,” Red Hat noted in its advisory. To address the issue, the company released updated packages for OpenStack 6.0 (Juno), 7.0 (Kilo), 8.0 (Liberty), 9.0 (Mitaka), 10.0 (Newton) and 11.0 (Ocata).
VMs allow service providers to spin up various network functions on top of a hypervisor, which sits between the hardware and operating system (OS). VMs are a relatively young technology, vulnerable to many of the same threats as physical machines, including security breaches, data loss and viruses. The hypervisor isolates the VMs so if one VMs is infected, it may not spread to the others.
VMs are difficult to secure given the complexity of the networks they give rise to. In addition, computers hackers have more opportunities to breach company networks as more businesses switch to the technology. The widespread adoption of virtualized networks isn’t expected to die down anytime soon. According to a recent report by MarkertsandMarkets, the net worth of the global network functions virtualization (NFV) and software-defined network (SDN) market is expected to swell from $3.68 billion this year to $54.41 billion by 2022, at a Compound Annual Growth Rate (CAGR) of 71.4%.
This isn’t the first time Red Hat has had vulnerability issues either. In February, for instance, a different vulnerability, tracked as CVE-2017-6074, more than 11 years old was discovered in a mainline Linux kernel, which infected Red Hat Enterprise Linux 5, 6, 7, and Red Hat Enterprise MRG 2 kernels. The company rated the problem as important severity and said they would resolve the glitch in future updates. In July, the company said it was very concerned about a CIA hacking tool targeted at Linux operating system. And just this week, Red Hat released kernel patches for Red Hat Enterprise Linux 6.7 and 7.3 to address mild to severe vulnerabilities.
