Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2017-15139: openstack-cinder: Data retained after deletion of a ScaleIO volume|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Alexander Bergmann <abergmann>|
|Component:||Incidents||Assignee:||Security Team bot <security-team>|
|Status:||RESOLVED FIXED||QA Contact:||Security Team bot <security-team>|
|Priority:||P3 - Medium||CC:||atoptsoglou, cthompson, kberger, nkrinner, rsalevsky, smash_bz|
|Whiteboard:||CVSSv2:NVD:CVE-2017-15139:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv3:NVD:CVE-2017-15139:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSSv3:RedHat:CVE-2017-15139:4.8:(AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N) CVSSv3:SUSE:CVE-2017-15139:5.1:(AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)|
|Found By:||Security Response Team||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
Description Alexander Bergmann 2018-08-21 10:17:24 UTC
rh#1599899 Summary Certain storage volume configurations allow newly created volumes to contain previous data. This could lead to leakage of sensitive information between tenants. Affected Services / Software Cinder releases up to and including Queens with ScaleIO volumes using thin volumes and zero padding. External references: https://wiki.openstack.org/wiki/OSSN/OSSN-0084 Upstream bug: https://bugs.launchpad.net/ossn/+bug/1699573 References: https://bugzilla.redhat.com/show_bug.cgi?id=1599899 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15139
Comment 2 Keith Berger 2018-09-05 14:07:05 UTC
upstream bug not merged yet https://review.openstack.org/#/c/596879/ once this is done it can hopefully be backported down
Comment 3 Keith Berger 2018-09-12 16:42:05 UTC
merged in master, waiting on pike. Then i need to see if they will accept ocata and newton.
Comment 4 Rick Salevsky 2018-10-11 13:13:07 UTC
@Keith: Any progress on this?
Comment 5 Keith Berger 2018-10-11 13:39:52 UTC
Rick, Pike and Newton are done. Do we need Mitaka as well? That is where I am blocked currently.
Comment 6 Rick Salevsky 2018-10-11 15:59:35 UTC
@Keith: We don't have a Mitaka based product so from my perspective this is not required.
Comment 7 Keith Berger 2018-10-11 21:21:23 UTC
Rick, What about HOS4? Is that something we need to address
Comment 8 Rick Salevsky 2018-11-19 10:17:37 UTC
@Keith: Can you add the patch to https://build.opensuse.org/package/show/Cloud:OpenStack:Newton:Staging/openstack-cinder ? The decision for HOS4 is up to Carter.
Comment 9 Carter Thompson 2018-11-19 16:05:31 UTC
We can pick this up in HOS 4.0.9 when/if there is another update.
Comment 10 Keith Berger 2018-11-19 16:07:39 UTC
merging to Mitaka was shot down upstream so we wont be able to add it.
Comment 11 Keith Berger 2018-11-19 16:10:46 UTC
Rick can we do a GTM and you please show me how to do what you are asking for in comment https://bugzilla.suse.com/show_bug.cgi?id=1105476#c8 ?
Comment 13 Keith Berger 2018-12-05 16:00:28 UTC
patch added for Newton/SOC7. please close when ready
Comment 16 Swamp Workflow Management 2019-03-22 19:21:13 UTC
SUSE-SU-2019:0716-1: An update that solves one vulnerability and has four fixes is now available. Category: security (moderate) Bug References: 1089834,1105476,1116475,1119902,1124695 CVE References: CVE-2017-15139 Sources used: SUSE OpenStack Cloud 7 (src): openstack-cinder-9.1.5~dev6-4.21.3, openstack-cinder-doc-9.1.5~dev6-4.21.3, openstack-horizon-plugin-designate-ui-3.0.2~dev1-3.9.3, openstack-neutron-9.4.2~dev21-7.27.3, openstack-neutron-doc-9.4.2~dev21-7.27.3, openstack-neutron-lbaas-9.2.2~dev11-4.15.3, openstack-neutron-lbaas-doc-9.2.2~dev11-4.15.3
Comment 18 Nanuk Krinner 2020-05-07 08:06:44 UTC
@Alexandros: The fix was merged upstream (https://review.opendev.org/#/c/601681/) and is also included in the code we ship (https://build.suse.de/package/show/SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/openstack-cinder), just checked.
Comment 19 Alexandros Toptsoglou 2020-05-07 08:13:31 UTC
(In reply to Nanuk Krinner from comment #18) > @Alexandros: > > The fix was merged upstream (https://review.opendev.org/#/c/601681/) and is > also included in the code we ship > (https://build.suse.de/package/show/SUSE:SLE-12-SP3:Update:Products:Cloud8: > Update/openstack-cinder), just checked. Thanks Nanuk, I fixed our tracking. Closing