Bug 1105476 (CVE-2017-15139)

Summary: VUL-0: CVE-2017-15139: openstack-cinder: Data retained after deletion of a ScaleIO volume
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, cthompson, kberger, nkrinner, rsalevsky, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/213121/
Whiteboard: CVSSv2:NVD:CVE-2017-15139:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv3:NVD:CVE-2017-15139:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSSv3:RedHat:CVE-2017-15139:4.8:(AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N) CVSSv3:SUSE:CVE-2017-15139:5.1:(AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2018-08-21 10:17:24 UTC 
rh#1599899

Summary
Certain storage volume configurations allow newly created volumes to contain previous data. This could lead to leakage of sensitive information between tenants.

Affected Services / Software
Cinder releases up to and including Queens with ScaleIO volumes using thin volumes and zero padding.

External references:

https://wiki.openstack.org/wiki/OSSN/OSSN-0084

Upstream bug:

https://bugs.launchpad.net/ossn/+bug/1699573

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1599899
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15139
Comment 2 Keith Berger 2018-09-05 14:07:05 UTC 
upstream bug not merged yet

https://review.openstack.org/#/c/596879/

once this is done it can hopefully be backported down
Comment 3 Keith Berger 2018-09-12 16:42:05 UTC 
merged in master, waiting on pike. Then i need to see if they will accept ocata and newton.
Comment 4 Rick Salevsky 2018-10-11 13:13:07 UTC 
@Keith: Any progress on this?
Comment 5 Keith Berger 2018-10-11 13:39:52 UTC 
Rick,

Pike and Newton are done. Do we need Mitaka as well? That is where I am blocked currently.
Comment 6 Rick Salevsky 2018-10-11 15:59:35 UTC 
@Keith: We don't have a Mitaka based product so from my perspective this is not required.
Comment 7 Keith Berger 2018-10-11 21:21:23 UTC 
Rick,

What about HOS4? Is that something we need to address
Comment 8 Rick Salevsky 2018-11-19 10:17:37 UTC 
@Keith: Can you add the patch to https://build.opensuse.org/package/show/Cloud:OpenStack:Newton:Staging/openstack-cinder ? 

The decision for HOS4 is up to Carter.
Comment 9 Carter Thompson 2018-11-19 16:05:31 UTC 
We can pick this up in HOS 4.0.9 when/if there is another update.
Comment 10 Keith Berger 2018-11-19 16:07:39 UTC 
merging to Mitaka was shot down upstream so we wont be able to add it.
Comment 11 Keith Berger 2018-11-19 16:10:46 UTC 
Rick can we do a GTM and you please show me how to do what you are asking for in comment https://bugzilla.suse.com/show_bug.cgi?id=1105476#c8 ?
Comment 12 Keith Berger 2018-12-03 20:54:39 UTC 
https://build.opensuse.org/request/show/653601
Comment 13 Keith Berger 2018-12-05 16:00:28 UTC 
patch added for Newton/SOC7. please close when ready
Comment 16 Swamp Workflow Management 2019-03-22 19:21:13 UTC 
SUSE-SU-2019:0716-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1089834,1105476,1116475,1119902,1124695
CVE References: CVE-2017-15139
Sources used:
SUSE OpenStack Cloud 7 (src):    openstack-cinder-9.1.5~dev6-4.21.3, openstack-cinder-doc-9.1.5~dev6-4.21.3, openstack-horizon-plugin-designate-ui-3.0.2~dev1-3.9.3, openstack-neutron-9.4.2~dev21-7.27.3, openstack-neutron-doc-9.4.2~dev21-7.27.3, openstack-neutron-lbaas-9.2.2~dev11-4.15.3, openstack-neutron-lbaas-doc-9.2.2~dev11-4.15.3
Comment 18 Nanuk Krinner 2020-05-07 08:06:44 UTC 
@Alexandros:

The fix was merged upstream (https://review.opendev.org/#/c/601681/) and is also included in the code we ship (https://build.suse.de/package/show/SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/openstack-cinder), just checked.
Comment 19 Alexandros Toptsoglou 2020-05-07 08:13:31 UTC 
(In reply to Nanuk Krinner from comment #18)
> @Alexandros:
> 
> The fix was merged upstream (https://review.opendev.org/#/c/601681/) and is
> also included in the code we ship
> (https://build.suse.de/package/show/SUSE:SLE-12-SP3:Update:Products:Cloud8:
> Update/openstack-cinder), just checked.

Thanks Nanuk, I fixed our tracking. Closing