Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-15139

Опубликовано: 10 июл. 2018
Источник: redhat
CVSS3: 4.8
EPSS Низкий

Описание

A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants.

An information-leak flaw was found in openstack-cinder deployments using the third-party EMC ScaleIO backend. It was possible for new volumes to contain previous data if they were created from storage pools which had disabled zero-padding. An attacker could exploit this flaw to obtain sensitive information.

Отчет

With this update, disabled zero-padding is no longer the default for new volumes. Users can override this behavior by setting the new configuration item, "sio_allow_non_padded_volumes=True". However, the default should not be overridden if multiple tenants will be using volumes from a shared Storage Pool.

Меры по смягчению последствий

This flaw only affects Red Hat OpenStack Platform deployments which use the third-party EMC ScaleIO driver plugin. To mitigate this flaw, ensure all volumes use zero-padding by updating the ScaleIO storage-pool policy. Note: Only an empty pool's policy can be changed.

scli --modify_zero_padding_policy (((--protection_domain_id <ID> | --protection_domain_name <NAME>) --storage_pool_name <NAME>) | --storage_pool_id <ID>) (--enable_zero_padding | --disable_zero_padding) Example: scli --modify_zero_padding_policy --protection_domain_name pd10 --storage_pool_name scale1 --enable_zero_padding

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)openstack-cinderNot affected
Red Hat Fuse 7openstack-cinderNot affected
Red Hat JBoss Fuse 6openstack-cinderNot affected
Red Hat OpenShift Enterprise 3cinderNot affected
Red Hat OpenStack Platform 12 (Pike)openstack-cinderAffected
Red Hat OpenStack Platform 14 (Rocky)openstack-cinderNot affected
Red Hat OpenStack Platform 8 (Liberty)openstack-cinderWill not fix
Red Hat OpenStack Platform 9 (Mitaka)openstack-cinderAffected
Red Hat Storage 3cinderNot affected
Red Hat OpenStack Platform 10.0 (Newton)openstack-cinderFixedRHSA-2019:091730.04.2019

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=1599899openstack-cinder: Data retained after deletion of a ScaleIO volume

EPSS

Процентиль: 47%
0.00242
Низкий

4.8 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2017-15139

CVSS3: 7.5
ubuntu
больше 7 лет назад

A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants.

nvd логотип

CVE-2017-15139

CVSS3: 7.5
nvd
больше 7 лет назад

A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants.

debian логотип

CVE-2017-15139

CVSS3: 7.5
debian
больше 7 лет назад

A vulnerability was found in openstack-cinder releases up to and inclu ...

github логотип

GHSA-j9j4-4235-xf59

CVSS3: 7.5
github
больше 3 лет назад

A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants.

EPSS

Процентиль: 47%
0.00242
Низкий

4.8 Medium

CVSS3