tripleo-heat-templates@7.0.16 vulnerabilities

Affected versions of this package are vulnerable to Insecure Defaults due to easily guessable credentials.

A fix was pushed into the master branch but not yet published.

Affected versions of this package are vulnerable to Information Exposure by disclosing plain passwords in overcloud_install.log during OSP13 deployment with subscription-manager.

There is no fixed version for tripleo-heat-templates.

Affected versions of this package are vulnerable to Information Exposure by allowing an external user to discover the internal IP or hostname. An attacker could exploit this by checking the www_authenticate_uri parameter (which is visible to all end users) in configuration files. This would give sensitive information which may aid in additional system exploitation.

Upgrade tripleo-heat-templates to version 16.0.0 or higher.

tripleo-heat-templates is a heat templates for deploying OpenStack.

Affected versions of this package are vulnerable to Information Exposure. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.

Upgrade tripleo-heat-templates to version 8.0.0.0b2 or higher.

tripleo-heat-templates is a heat templates to deploy OpenStack using OpenStack.

Affected versions of this package are vulnerable to Privileges Escalation. When libvirtd is configured by OSP director (tripleo-heat-templates) to use the TLS transport it defaults to the same certificate authority as all non-libvirtd services. As no additional authentication is configured this allows these services to connect to libvirtd (which is equivalent to root access).

Upgrade tripleo-heat-templates to version 8.0.0.0b2 or higher.