CVE-2017-15139

Impact:
Moderate
Public Date:
2018-07-10
CWE:
CWE-200
Bugzilla:
1599899: CVE-2017-15139 openstack-cinder: Data retained after deletion of a ScaleIO volume
An information-leak flaw was found in openstack-cinder deployments using the third-party EMC ScaleIO backend. It was possible for new volumes to contain previous data if they were created from storage pools which had disabled zero-padding. An attacker could exploit this flaw to obtain sensitive information.

Find out more about CVE-2017-15139 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

With this update, disabled zero-padding is no longer the default for new volumes. Users can override this behavior by setting the new configuration item, "sio_allow_non_padded_volumes=True". However, the default should not be overridden if multiple tenants will be using volumes from a shared Storage Pool.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 4.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity Impact None
Availability Impact None

Affected Packages State

Platform Package State
Red Hat OpenStack Platform 9.0 openstack-cinder Affected
Red Hat OpenStack Platform 8.0 (Liberty) openstack-cinder Affected
Red Hat OpenStack Platform 13.0 (Queens) openstack-cinder Affected
Red Hat OpenStack Platform 12.0 openstack-cinder Affected
Red Hat OpenStack Platform 10 openstack-cinder Affected
Red Hat OpenShift Enterprise 3 cinder Not affected
Red Hat JBoss Fuse 7 openstack-cinder Not affected
Red Hat JBoss Fuse 6 openstack-cinder Not affected
Red Hat Gluster Storage 3 cinder Not affected
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 openstack-cinder-2015 Not affected

Mitigation

This flaw only affects Red Hat OpenStack Platform deployments which use the third-party EMC ScaleIO driver plugin. To mitigate this flaw, ensure all volumes use zero-padding by updating the ScaleIO storage-pool policy.
Note: Only an empty pool's policy can be changed.

scli --modify_zero_padding_policy
   (((--protection_domain_id <ID> |
   --protection_domain_name <NAME>)
   --storage_pool_name <NAME>) | --storage_pool_id <ID>)
   (--enable_zero_padding | --disable_zero_padding)

Example:
scli --modify_zero_padding_policy
--protection_domain_name pd10 --storage_pool_name scale1
--enable_zero_padding

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.