Bug 1599899 (CVE-2017-15139) - CVE-2017-15139 openstack-cinder: Data retained after deletion of a ScaleIO volume [NEEDINFO]
Summary: CVE-2017-15139 openstack-cinder: Data retained after deletion of a ScaleIO vo...
Status: CLOSED ERRATA
Alias: CVE-2017-15139
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180710,repor...
Keywords: Security
Depends On: 1610143 1610144 1610145 1610146 1610147 1610148 1622250
Blocks: 1599900
TreeView+ depends on / blocked
 
Reported: 2018-07-10 21:27 UTC by Pedro Sampaio
Modified: 2019-06-11 11:13 UTC (History)
32 users (show)

(edit)
An information-leak flaw was found in openstack-cinder deployments using the third-party EMC ScaleIO backend. It was possible for new volumes to contain previous data if they were created from storage pools which had disabled zero-padding. An attacker could exploit this flaw to obtain sensitive information.
Clone Of:
(edit)
Last Closed: 2019-06-10 10:32:20 UTC
arkady_kanevsky: needinfo? (abishop)


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3601 None None None 2018-11-13 22:13 UTC
OpenStack gerrit 592001 None master: MERGED cinder: ScaleIO: Disable volume creation without padding (Ibaf6e9b67d252a5aae1b0f64ec632ec26789c389) 2018-10-03 01:59 UTC
OpenStack gerrit 593694 None master: MERGED cinder: ScaleIO: Deprecate sio_allow_non_padded_thick_volumes (Iaf7173cbcd9fc0929dabe3b1cb2db4b47c8bf0bd) 2018-10-03 01:59 UTC
OpenStack gerrit 596658 None master: MERGED cinder: Fixed invalid number of arguments bug in ScaleIO driver (I6946f531e2bed4b3f7e4491ca26876dd68fd0fc8) 2018-10-03 01:59 UTC
Red Hat Product Errata RHSA-2019:0917 None None None 2019-04-30 16:58 UTC
Launchpad 1699573 None None None 2018-10-03 02:02 UTC
Launchpad 1784871 None None None 2018-10-03 02:01 UTC

Description Pedro Sampaio 2018-07-10 21:27:57 UTC
Summary
Certain storage volume configurations allow newly created volumes to contain previous data. This could lead to leakage of sensitive information between tenants.

Affected Services / Software
Cinder releases up to and including Queens with ScaleIO volumes using thin volumes and zero padding.

External references:

https://wiki.openstack.org/wiki/OSSN/OSSN-0084

Upstream bug:

https://bugs.launchpad.net/ossn/+bug/1699573

Comment 3 Summer Long 2018-07-31 00:20:49 UTC
The 2018 upstream fix prevents the creation of thick volumes with disabled zero padding by default (although can be overridden with config option, sio_allow_non_padded_thick_volumes).  
https://git.openstack.org/cgit/openstack/cinder/commit/?id=7feb62197d371ab7253dc86a34af6ff8b484b4df 
Note: fix is in 13 dev milestone, to be released with Rocky.

Comment 6 Summer Long 2018-07-31 04:14:17 UTC
Created openstack-cinder tracking bugs for this issue:

Affects: openstack-rdo [bug 1610143]

Comment 18 Summer Long 2018-08-20 00:22:20 UTC
Upstream bug for thin volumes: https://bugs.launchpad.net/cinder/+bug/1784871
Upstream patch (scaleIO):https://review.openstack.org/#/c/592001/ 
Upstream rocky (not merged yet): https://review.openstack.org/593188

Comment 22 Summer Long 2018-08-21 23:35:15 UTC
Next patch: https://review.openstack.org/#/c/593694/

Comment 23 Summer Long 2018-08-28 00:33:07 UTC
Upstream queens: https://review.openstack.org/596879

Comment 24 Summer Long 2018-09-11 23:04:24 UTC
Upstream pike: https://review.openstack.org/601681

Comment 25 Summer Long 2018-09-21 00:35:49 UTC
Upstream ocata: https://review.openstack.org/#/c/604105/

Comment 26 Summer Long 2018-10-02 01:30:07 UTC
Upstream newton: https://review.openstack.org/#/c/606130/

Comment 28 Summer Long 2018-10-10 02:18:15 UTC
Mitigation:

This flaw only affects Red Hat OpenStack Platform deployments which use the third-party EMC ScaleIO driver plugin. To mitigate this flaw, ensure all volumes use zero-padding by updating the ScaleIO storage-pool policy. 
Note: Only an empty pool's policy can be changed.

~~~
scli --modify_zero_padding_policy
   (((--protection_domain_id <ID> |
   --protection_domain_name <NAME>)
   --storage_pool_name <NAME>) | --storage_pool_id <ID>)
   (--enable_zero_padding | --disable_zero_padding)

Example:
scli --modify_zero_padding_policy
--protection_domain_name pd10 --storage_pool_name scale1
--enable_zero_padding
~~~

Comment 30 Summer Long 2018-10-16 01:52:08 UTC
Statement:

With this update, disabled zero-padding is no longer the default for new volumes. Users can override this behavior by setting the new configuration item, "sio_allow_non_padded_volumes=True". However, the default should not be overridden if multiple tenants will be using volumes from a shared Storage Pool.

Comment 31 errata-xmlrpc 2018-11-13 22:13:31 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2018:3601 https://access.redhat.com/errata/RHSA-2018:3601

Comment 33 Sofia Enriquez 2019-01-25 22:46:52 UTC
Tomas, sorry for the wrong update. 
OpenStack Vulnerability Management Team keep the bug is still only in the "Confirmed" state.
OpenStack Gerrit 592001, 593694 and 596658 were already backported to OSP10.

Comment 34 errata-xmlrpc 2019-04-30 16:58:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0917 https://access.redhat.com/errata/RHSA-2019:0917

Comment 35 arkady kanevsky 2019-05-10 19:28:40 UTC
1.	What specific Red Hat OpenStack Platform version to validate? From the bug, https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139 , the fix is in ‘cinder 10.0.8,  cinder 13.0.0.0rc2, cinder 12.04’, but I’m not sure what version we’re talking about.
2.	What specific ScaleIO/VxFlexOS array version to validate?
3.	What specific ScaleIO/VxFlexOS deployment option to validate, although I think 2-layer should be good for validate the fix.
•	2-layer storage? This is when the ScaleIO/VxFlexOS Storage is installed in separate servers outside of Openstack nodes.
•	Or Hyperconverged? This is when the Openstack and storage is installed in the same servers.


Note You need to log in before you can comment on or make changes to this bug.