CVE-2017-12155
Find out more about CVE-2017-12155 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 8.4 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat OpenStack Platform 10 | RHSA-2018:1593 | 2018-05-17 |
| Red Hat OpenStack Platform 11.0 (Ocata) | RHSA-2018:1627 | 2018-05-18 |
| Red Hat OpenStack Platform 12.0 (openstack-tripleo-heat-templates) | RHSA-2018:0602 | 2018-03-28 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat OpenStack Platform 12.0 | rhosp-director | Not affected |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | openstack-tripleo-heat-templates | Will not fix |
| OpenStack 9.0 Director for RHEL 7 | openstack-tripleo-heat-templates | Will not fix |
| OpenStack 8.0 Director for RHEL 7 | openstack-tripleo-heat-templates | Will not fix |
| OpenStack 7.0 Director for RHEL 7 | openstack-tripleo-heat-templates | Will not fix |
Acknowledgements
Red Hat would like to thank Katuya Kawakami (NEC) for reporting this issue.Mitigation
To mitigate the flaw, use an overcloud post-deploy script[1] to do the following on all overcloud nodes:
key=/etc/ceph/ceph.client.openstack.keyring
chown root:root $key
chmod 600 $key
setfacl -m u:glance:r $key
setfacl -m u:cinder:r $key
setfacl -m u:nova:r $key
setfacl -m u: gnocchi:r $key
If not using Red Hat OpenStack Platform director, then run the commands above manually on each overcloud node,
Warning: Only running 'chmod 600 $key' alone (without an ACL) will prevent OpenStack from reading the key.
