Resource-Permission Flaw in OpenStack Tripleo Heat Templates
CVE-2017-12155

6.3MEDIUM

Key Information:

Vendor
Openstack
Status
Openstack-tripleo-heat-templates
Vendor
CVE Published:
12 December 2017

Summary

A resource-permission flaw exists in the openstack-tripleo-heat-templates package, where the ceph.client.openstack.keyring is inadvertently created with world-readable permissions. This misconfiguration allows a local attacker with access to the key to act as the OpenStack service, presenting significant risks that include unauthorized reading and modification of data within Ceph cluster pools. Attackers could potentially gain access to sensitive information stored in OpenStack Block Storage volumes, leading to severe consequences for data integrity and confidentiality.

Affected Version(s)

openstack-tripleo-heat-templates Newton, Ocata, Pike and possibly older

References

https://access.redhat.com/errata/RHSA-2018:1593
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:1627
vendor-advisoryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=1489360
x_refsource_CONFIRM

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.