Bug 1105476 - (CVE-2017-15139) VUL-0: CVE-2017-15139: openstack-cinder: Data retained after deletion of a ScaleIO volume
(CVE-2017-15139)
VUL-0: CVE-2017-15139: openstack-cinder: Data retained after deletion of a Sc...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/213121/
CVSSv2:NVD:CVE-2017-15139:5.0:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-21 10:17 UTC by Alexander Bergmann
Modified: 2020-05-12 18:25 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-08-21 10:17:24 UTC
rh#1599899

Summary
Certain storage volume configurations allow newly created volumes to contain previous data. This could lead to leakage of sensitive information between tenants.

Affected Services / Software
Cinder releases up to and including Queens with ScaleIO volumes using thin volumes and zero padding.

External references:

https://wiki.openstack.org/wiki/OSSN/OSSN-0084

Upstream bug:

https://bugs.launchpad.net/ossn/+bug/1699573

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1599899
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15139
Comment 2 Keith Berger 2018-09-05 14:07:05 UTC
upstream bug not merged yet

https://review.openstack.org/#/c/596879/

once this is done it can hopefully be backported down
Comment 3 Keith Berger 2018-09-12 16:42:05 UTC
merged in master, waiting on pike. Then i need to see if they will accept ocata and newton.
Comment 4 Rick Salevsky 2018-10-11 13:13:07 UTC
@Keith: Any progress on this?
Comment 5 Keith Berger 2018-10-11 13:39:52 UTC
Rick,

Pike and Newton are done. Do we need Mitaka as well? That is where I am blocked currently.
Comment 6 Rick Salevsky 2018-10-11 15:59:35 UTC
@Keith: We don't have a Mitaka based product so from my perspective this is not required.
Comment 7 Keith Berger 2018-10-11 21:21:23 UTC
Rick,

What about HOS4? Is that something we need to address
Comment 8 Rick Salevsky 2018-11-19 10:17:37 UTC
@Keith: Can you add the patch to https://build.opensuse.org/package/show/Cloud:OpenStack:Newton:Staging/openstack-cinder ? 

The decision for HOS4 is up to Carter.
Comment 9 Carter Thompson 2018-11-19 16:05:31 UTC
We can pick this up in HOS 4.0.9 when/if there is another update.
Comment 10 Keith Berger 2018-11-19 16:07:39 UTC
merging to Mitaka was shot down upstream so we wont be able to add it.
Comment 11 Keith Berger 2018-11-19 16:10:46 UTC
Rick can we do a GTM and you please show me how to do what you are asking for in comment https://bugzilla.suse.com/show_bug.cgi?id=1105476#c8 ?
Comment 12 Keith Berger 2018-12-03 20:54:39 UTC
https://build.opensuse.org/request/show/653601
Comment 13 Keith Berger 2018-12-05 16:00:28 UTC
patch added for Newton/SOC7. please close when ready
Comment 16 Swamp Workflow Management 2019-03-22 19:21:13 UTC
SUSE-SU-2019:0716-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1089834,1105476,1116475,1119902,1124695
CVE References: CVE-2017-15139
Sources used:
SUSE OpenStack Cloud 7 (src):    openstack-cinder-9.1.5~dev6-4.21.3, openstack-cinder-doc-9.1.5~dev6-4.21.3, openstack-horizon-plugin-designate-ui-3.0.2~dev1-3.9.3, openstack-neutron-9.4.2~dev21-7.27.3, openstack-neutron-doc-9.4.2~dev21-7.27.3, openstack-neutron-lbaas-9.2.2~dev11-4.15.3, openstack-neutron-lbaas-doc-9.2.2~dev11-4.15.3
Comment 18 Nanuk Krinner 2020-05-07 08:06:44 UTC
@Alexandros:

The fix was merged upstream (https://review.opendev.org/#/c/601681/) and is also included in the code we ship (https://build.suse.de/package/show/SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/openstack-cinder), just checked.
Comment 19 Alexandros Toptsoglou 2020-05-07 08:13:31 UTC
(In reply to Nanuk Krinner from comment #18)
> @Alexandros:
> 
> The fix was merged upstream (https://review.opendev.org/#/c/601681/) and is
> also included in the code we ship
> (https://build.suse.de/package/show/SUSE:SLE-12-SP3:Update:Products:Cloud8:
> Update/openstack-cinder), just checked.

Thanks Nanuk, I fixed our tracking. Closing