Bug 1285809 (CVE-2015-7514)

Summary: CVE-2015-7514 openstack-ironic: Ironic does not honor clean steps
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact: Toure Dunnon <tdunnon>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, chrisw, dallan, dtantsur, gkotton, gmollett, jschluet, lhh, lmartins, lpeer, markmc, mburns, rbryant, rhel-osp-director-maint, sclewis, security-response-team, srevivo, tdecacqu, tdunnon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-20 04:08:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1299675, 1299676    
Bug Blocks: 1285811    
Attachments:
Description Flags
CVE-2015-7514-master-mitaka.patch
none
CVE-2015-7514-stable-liberty.patch none

Description Martin Prpič 2015-11-26 14:09:36 UTC 
A flaw was reported in Ironic:

Brad Morgan from Rackspace reported a vulnerability in Ironic. To prevent user data leak, Ironic is expected to "clean" a server after use, however that is transparently not happening. Previous tenant's data may be left behind on the disk and may be available to new users. All Ironic setups are affected.

This flaw is reported to affect versions >= 4.2.0 and <= 4.2.1.

Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Brad Morgan from Rackspace as the original reporter.
Comment 1 Martin Prpič 2015-11-26 14:13:15 UTC 
Created attachment 1099283 [details]
CVE-2015-7514-master-mitaka.patch
Comment 2 Martin Prpič 2015-11-26 14:13:21 UTC 
Created attachment 1099284 [details]
CVE-2015-7514-stable-liberty.patch
Comment 3 Adam Mariš 2015-12-03 17:30:16 UTC 
Public via:

http://seclists.org/oss-sec/2015/q4/426