CVE-2017-7549
A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
Find out more about CVE-2017-7549 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 6.1 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N |
| Attack Vector | Local |
| Attack Complexity | High |
| Privileges Required | Low |
| User Interaction | Required |
| Scope | Changed |
| Confidentiality | High |
| Integrity Impact | Low |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| OpenStack 9.0 Director for RHEL 7 (instack-undercloud) | RHSA-2017:2557 | 2017-08-30 |
| OpenStack 7.0 Director for RHEL 7 (instack-undercloud) | RHSA-2017:2693 | 2017-09-12 |
| OpenStack 8.0 Director for RHEL 7 (instack-undercloud) | RHSA-2017:2687 | 2017-09-12 |
| Red Hat OpenStack Platform 11.0 (Ocata) (instack-undercloud) | RHSA-2017:2726 | 2017-09-13 |
| Red Hat OpenStack Platform 10 (instack-undercloud) | RHSA-2017:2649 | 2017-09-06 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat OpenStack Platform 9.0 | instack-undercloud | Will not fix |
| Red Hat OpenStack Platform 8.0 (Liberty) | instack-undercloud | Will not fix |
| Red Hat OpenStack Platform 12.0 | instack-undercloud | Not affected |
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | instack-undercloud | Will not fix |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | instack-undercloud | Will not fix |