Bug 1489360 (CVE-2017-12155)
Summary: | CVE-2017-12155 openstack-tripleo-heat-templates: Ceph client keyring is world-readable when deployed by director | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | apevec, athomas, chrisw, dbecker, emacchi, gfidente, gmollett, jefbrown, jjoyce, johfulto, jomurphy, jschluet, kbasil, kschinck, lhh, lpeer, markmc, mburns, morazi, rbryant, rhel-osp-director-maint, rhos-maint, sclewis, seb, security-response-team, slinaber, slong, sparks, tbarron, tdecacqu, tsedovic, tvignaud, ykawada |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | puppet-tripleo-7.4.7, puppet-tripleo-6.5.7 | Doc Type: | If docs needed, set a value |
Doc Text: |
A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.
To exploit this flaw, the attacker must have local access to an overcloud node. However by default, access to overcloud nodes is restricted and accessible only from the management undercloud server on an internal network. Follow good security principles in your networking environment to ensure that network access is properly controlled.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 03:24:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1491467, 1491468, 1491469, 1491470, 1491471, 1491472, 1491473, 1493311, 1518029, 1518030 | ||
Bug Blocks: | 1489366 |
Description
Adam Mariš
2017-09-07 09:25:29 UTC
Acknowledgments: Name: Katuya Kawakami (NEC) Mitigation: To mitigate the flaw, use an overcloud post-deploy script[1] to do the following on all overcloud nodes: key=/etc/ceph/ceph.client.openstack.keyring chown root:root $key chmod 600 $key setfacl -m u:glance:r $key setfacl -m u:cinder:r $key setfacl -m u:nova:r $key setfacl -m u: gnocchi:r $key If not using Red Hat OpenStack Platform director, then run the commands above manually on each overcloud node, Warning: Only running 'chmod 600 $key' alone (without an ACL) will prevent OpenStack from reading the key. [1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/11/html-single/advanced_overcloud_customization/#sect-Customizing_Overcloud_PostConfiguration_All Created openstack-tripleo-heat-templates tracking bugs for this issue: Affects: openstack-rdo [bug 1493311] Upstream: https://bugs.launchpad.net/tripleo/+bug/1720787 puppet-tripleo https://review.openstack.org/519531 tripleo-heat-templates https://review.openstack.org/508975 https://review.openstack.org/522024 In reply to comment 13: I reformatted the security part of the erratum to meet the new criteria. Thanks for the heads up. Thanks Jason. Will do, and will pass on to the team. Thanks! This issue has been addressed in the following products: Red Hat OpenStack Platform 12.0 (Pike) Via RHSA-2018:0602 https://access.redhat.com/errata/RHSA-2018:0602 This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2018:1593 https://access.redhat.com/errata/RHSA-2018:1593 This issue has been addressed in the following products: Red Hat OpenStack Platform 11.0 (Ocata) Via RHSA-2018:1627 https://access.redhat.com/errata/RHSA-2018:1627 |