Описание
A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.
A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.
To exploit this flaw, the attacker must have local access to an overcloud node. However by default, access to overcloud nodes is restricted and accessible only from the management undercloud server on an internal network. Follow good security principles in your networking environment to ensure that network access is properly controlled.
Меры по смягчению последствий
To mitigate the flaw, use an overcloud post-deploy script[1] to do the following on all overcloud nodes: key=/etc/ceph/ceph.client.openstack.keyring chown root:root $key chmod 600 $key setfacl -m u:glance:r $key setfacl -m u:cinder:r $key setfacl -m u:nova:r $key setfacl -m u: gnocchi:r $key If not using Red Hat OpenStack Platform director, then run the commands above manually on each overcloud node, Warning: Only running 'chmod 600 $key' alone (without an ACL) will prevent OpenStack from reading the key. [1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/11/html-single/advanced_overcloud_customization/#sect-Customizing_Overcloud_PostConfiguration_All
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux OpenStack Platform 6 (Juno) | openstack-tripleo-heat-templates | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Director | openstack-tripleo-heat-templates | Will not fix | ||
| Red Hat OpenStack Platform 12 (Pike) | rhosp-director | Not affected | ||
| Red Hat OpenStack Platform 8 (Liberty) Director | openstack-tripleo-heat-templates | Will not fix | ||
| Red Hat OpenStack Platform 9 (Mitaka) Director | openstack-tripleo-heat-templates | Will not fix | ||
| Red Hat OpenStack Platform 10.0 (Newton) | openstack-tripleo-heat-templates | Fixed | RHSA-2018:1593 | 17.05.2018 |
| Red Hat OpenStack Platform 10.0 (Newton) | puppet-tripleo | Fixed | RHSA-2018:1593 | 17.05.2018 |
| Red Hat OpenStack Platform 11.0 (Ocata) | openstack-tripleo-heat-templates | Fixed | RHSA-2018:1627 | 18.05.2018 |
| Red Hat OpenStack Platform 11.0 (Ocata) | puppet-tripleo | Fixed | RHSA-2018:1627 | 18.05.2018 |
| Red Hat OpenStack Platform 12.0 (Pike) | openstack-tripleo-heat-templates | Fixed | RHSA-2018:0602 | 28.03.2018 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.4 High
CVSS3
Связанные уязвимости
A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.
A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.
A resource-permission flaw was found in the openstack-tripleo-heat-tem ...
Openstack tripleo-heat-templates unauthenticated file access
EPSS
8.4 High
CVSS3