Bug 1599899 (CVE-2017-15139)

Summary: CVE-2017-15139 openstack-cinder: Data retained after deletion of a ScaleIO volume
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abishop, ahardin, apevec, arkady_kanevsky, bleanhar, ccoleman, chrisw, cinder-bugs, dedgar, eharney, jamsmith, jgoulding, jjoyce, jokerman, jschluet, kbasil, lhh, lpeer, markmc, mburns, mchappel, pgrist, sclewis, senrique, sisharma, slinaber, slong, srevivo, ssaha, tdecacqu, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cinder 10.0.8, cinder 13.0.0.0rc2, cinder 12.04 Doc Type: If docs needed, set a value
Doc Text:
An information-leak flaw was found in openstack-cinder deployments using the third-party EMC ScaleIO backend. It was possible for new volumes to contain previous data if they were created from storage pools which had disabled zero-padding. An attacker could exploit this flaw to obtain sensitive information.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:32:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1610143, 1610144, 1610145, 1610146, 1610147, 1610148, 1622250    
Bug Blocks: 1599900    

Description Pedro Sampaio 2018-07-10 21:27:57 UTC 
Summary
Certain storage volume configurations allow newly created volumes to contain previous data. This could lead to leakage of sensitive information between tenants.

Affected Services / Software
Cinder releases up to and including Queens with ScaleIO volumes using thin volumes and zero padding.

External references:

https://wiki.openstack.org/wiki/OSSN/OSSN-0084

Upstream bug:

https://bugs.launchpad.net/ossn/+bug/1699573
Comment 2 Siddharth Sharma 2018-07-20 13:55:10 UTC 
upstream fix:

https://git.openstack.org/cgit/openstack/cinder/commit/?id=5492e2206a7736079279f45e9c8b931ca19fb322
Comment 3 Summer Long 2018-07-31 00:20:49 UTC 
The 2018 upstream fix prevents the creation of thick volumes with disabled zero padding by default (although can be overridden with config option, sio_allow_non_padded_thick_volumes).  
https://git.openstack.org/cgit/openstack/cinder/commit/?id=7feb62197d371ab7253dc86a34af6ff8b484b4df 
Note: fix is in 13 dev milestone, to be released with Rocky.
Comment 6 Summer Long 2018-07-31 04:14:17 UTC 
Created openstack-cinder tracking bugs for this issue:

Affects: openstack-rdo [bug 1610143]
Comment 18 Summer Long 2018-08-20 00:22:20 UTC 
Upstream bug for thin volumes: https://bugs.launchpad.net/cinder/+bug/1784871
Upstream patch (scaleIO):https://review.openstack.org/#/c/592001/ 
Upstream rocky (not merged yet): https://review.openstack.org/593188
Comment 22 Summer Long 2018-08-21 23:35:15 UTC 
Next patch: https://review.openstack.org/#/c/593694/
Comment 23 Summer Long 2018-08-28 00:33:07 UTC 
Upstream queens: https://review.openstack.org/596879
Comment 24 Summer Long 2018-09-11 23:04:24 UTC 
Upstream pike: https://review.openstack.org/601681
Comment 25 Summer Long 2018-09-21 00:35:49 UTC 
Upstream ocata: https://review.openstack.org/#/c/604105/
Comment 26 Summer Long 2018-10-02 01:30:07 UTC 
Upstream newton: https://review.openstack.org/#/c/606130/
Comment 28 Summer Long 2018-10-10 02:18:15 UTC 
Mitigation:

This flaw only affects Red Hat OpenStack Platform deployments which use the third-party EMC ScaleIO driver plugin. To mitigate this flaw, ensure all volumes use zero-padding by updating the ScaleIO storage-pool policy. 
Note: Only an empty pool's policy can be changed.

~~~
scli --modify_zero_padding_policy
   (((--protection_domain_id <ID> |
   --protection_domain_name <NAME>)
   --storage_pool_name <NAME>) | --storage_pool_id <ID>)
   (--enable_zero_padding | --disable_zero_padding)

Example:
scli --modify_zero_padding_policy
--protection_domain_name pd10 --storage_pool_name scale1
--enable_zero_padding
~~~
Comment 30 Summer Long 2018-10-16 01:52:08 UTC 
Statement:

With this update, disabled zero-padding is no longer the default for new volumes. Users can override this behavior by setting the new configuration item, "sio_allow_non_padded_volumes=True". However, the default should not be overridden if multiple tenants will be using volumes from a shared Storage Pool.
Comment 31 errata-xmlrpc 2018-11-13 22:13:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2018:3601 https://access.redhat.com/errata/RHSA-2018:3601
Comment 33 Sofia Enriquez 2019-01-25 22:46:52 UTC 
Tomas, sorry for the wrong update. 
OpenStack Vulnerability Management Team keep the bug is still only in the "Confirmed" state.
OpenStack Gerrit 592001, 593694 and 596658 were already backported to OSP10.
Comment 34 errata-xmlrpc 2019-04-30 16:58:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0917 https://access.redhat.com/errata/RHSA-2019:0917
Comment 35 arkady kanevsky 2019-05-10 19:28:40 UTC 
1.	What specific Red Hat OpenStack Platform version to validate? From the bug, https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139 , the fix is in ‘cinder 10.0.8,  cinder 13.0.0.0rc2, cinder 12.04’, but I’m not sure what version we’re talking about.
2.	What specific ScaleIO/VxFlexOS array version to validate?
3.	What specific ScaleIO/VxFlexOS deployment option to validate, although I think 2-layer should be good for validate the fix.
•	2-layer storage? This is when the ScaleIO/VxFlexOS Storage is installed in separate servers outside of Openstack nodes.
•	Or Hyperconverged? This is when the Openstack and storage is installed in the same servers.