[QSA-0724212] Security Update Bundle

Qlustar Security Advisory 0724212

July 24th, 2021


Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.

Package(s)       : see upstream description of individual package
Qlustar releases : 11.0, 12.0
Affected versions: All versions prior to this update
Vulnerability    : see upstream description of individual package
Problem type     : see upstream description of individual package
Qlustar-specific : no
CVE Id(s)        : see upstream description of individual package

This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 12.0 and 11.0

systemd vulnerabilities

It was discovered that systemd incorrectly handled certain mount paths. A local attacker could possibly use this issue to cause systemd to crash, resulting in a denial of service.

Mitchell Frank discovered that systemd incorrectly handled DHCP FORCERENEW packets. A remote attacker could possibly use this issue to reconfigure servers.

QEMU vulnerabilities

Lei Sun discovered that QEMU incorrectly handled certain MMIO operations. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service.

Cheolwoo Myung discovered that QEMU incorrectly handled SCSI device emulation. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service.

It was discovered that QEMU incorrectly handled ARM Generic Interrupt Controller emulation. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service.

Alexander Bulekov, Cheolwoo Myung, Sergej Schumilo, Cornelius Aschermann, and Simon Werner discovered that QEMU incorrectly handled e1000 device emulation. An attacker inside the guest could possibly use this issue to cause QEMU to hang, resulting in a denial of service.

It was discovered that QEMU incorrectly handled SDHCI controller emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, when QEMU is used in combination with libvirt, attackers would be isolated by the libvirt AppArmor profile.

It was discovered that QEMU incorrectly handled certain NIC emulation devices. An attacker inside the guest could possibly use this issue to cause QEMU to hang or crash, resulting in a denial of service.

Remy Noel discovered that QEMU incorrectly handled the USB redirector device. An attacker inside the guest could possibly use this issue to cause QEMU to consume resources, resulting in a denial of service.

It was discovered that QEMU incorrectly handled the virtio vhost-user GPU device. An attacker inside the guest could possibly use this issue to cause QEMU to consume resources, leading to a denial of service.

It was discovered that QEMU incorrectly handled the virtio vhost-user GPU device. An attacker inside the guest could possibly use this issue to obtain sensitive host information.

It was discovered that QEMU incorrectly handled the virtio vhost-user GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, when QEMU is used in combination with libvirt, attackers would be isolated by the libvirt AppArmor profile.

It was discovered that QEMU incorrectly handled the PVRDMA device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, when QEMU is used in combination with libvirt, attackers would be isolated by the libvirt AppArmor profile.

It was discovered that QEMU SLiRP networking incorrectly handled certain udp packets. An attacker inside a guest could possibly use this issue to leak sensitive information from the host.

Avahi vulnerability

Thomas Kremer discovered that Avahi incorrectly handled termination signals on the Unix socket. A local attacker could possibly use this issue to cause Avahi to hang, resulting in a denial of service.

PHP vulnerabilities

It was discovered that PHP incorrectly handled certain PHAR files. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information.

It was discovered that PHP incorrectly handled parsing URLs with passwords. A remote attacker could possibly use this issue to cause PHP to mis-parse the URL and produce wrong data.

It was discovered that PHP incorrectly handled certain malformed XML data when being parsed by the SOAP extension. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service.

It was discovered that PHP incorrectly handled the pdo_firebase module. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service.

It was discovered that PHP incorrectly handled the FILTER_VALIDATE_URL check. A remote attacker could possibly use this issue to perform a server- side request forgery attack.

CentOS 7.9 / 8.4 security updates

Please check the CentOS mailing list for details about CentOS 7/8 updates that entered this release (everything from July 6th, 2021 to July 23rd, 2021).

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 12.0

qlustar-module-core-focal-amd64-12.0.0     12.0.0.5-b542f1391
qlustar-module-core-centos7-amd64-12.0.0   12.0.0.5-b542f1391
qlustar-module-core-centos8-amd64-12.0.0   12.0.0.5-b542f1391

For Qlustar 11.0

qlustar-module-core-bionic-amd64-11.0.1    11.0.1.9-b543f1392
qlustar-module-core-centos7-amd64-11.0.1   11.0.1.9-b543f1392
qlustar-module-core-centos8-amd64-11.0.1   11.0.1.9-b543f1392

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

  • On Qlustar 12: Also write the dnsmasq config with QluMan before rebooting.
  • On Qlustar 11: Also perform the manual steps ‘7. Migration to GRUB PXE booting’ and ‘11. Adjust root bash shell initialization’ as described in the Release Notes if you haven’t done so yet.