Summer Long

**Name of the Vulnerable Software and Affected Versions** openstack-tripleo-heat-templates (affected versions not specified) **Description** A flaw was found in openstack-tripleo-heat-templates where plain passwords from RHSM exist in the logs during OSP13 deployment with subscription-manager. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: OpenStack Orchestration (heat) service versions prior to 8.0.0 OpenStack Orchestration (heat) service version 6.1.0 OpenStack Orchestration (heat) service version 7.0.2 Description: An access-control flaw was found in the OpenStack Orchestration (heat) service where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information. Recommendations: For versions prior to 8.0.0, update to version 8.0.0 or later to resolve the issue. For version 6.1.0, update to a version later than 6.1.0 to resolve the issue. For version 7.0.2, update to a version later than 7.0.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** puppet-swift versions prior to 8.2.1 puppet-swift versions prior to 9.4.4 **Description** The issue concerns an information-disclosure problem in Red Hat OpenStack Platform director's installation of Object Storage (swift). It occurs because the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions. **Recommendations** For versions prior to 8.2.1, update to version 8.2.1 or later. For versions prior to 9.4.4, update to version 9.4.4 or later.

**Name of the Vulnerable Software and Affected Versions** puppet-tripleo versions prior to 5.5.0 puppet-tripleo versions prior to 6.2.0 **Description** The issue is related to an access-control flaw in the IPtables rules management, which allows the creation of TCP/UDP rules with empty port values. If SSL is enabled, a malicious user could potentially use these open ports to gain access to unauthorized resources. **Recommendations** For versions prior to 5.5.0, update to version 5.5.0 or later to resolve the issue. For versions prior to 6.2.0, update to version 6.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the IPtables rules management until a patch is available.

**Name of the Vulnerable Software and Affected Versions** instack-undercloud versions 5.3.0 through 7.2.0 **Description** A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. This could allow a local user to conduct a symbolic-link attack, enabling them to overwrite the contents of arbitrary files. **Recommendations** For instack-undercloud version 5.3.0, consider restricting access to temporary files used by pre-install and security policy scripts until a patch is available. For instack-undercloud version 6.1.0, restrict access to temporary files used by pre-install and security policy scripts until a patch is available. For instack-undercloud version 7.2.0, restrict access to temporary files used by pre-install and security policy scripts until a patch is available.