Resource-Permission Flaw in OpenStack Tripleo Heat Templates
CVE-2017-12155

6.3MEDIUM

Key Information:

Vendor: Openstack
Status: Openstack-tripleo-heat-templates
Vendor: CVE Published:; 12 December 2017

What is CVE-2017-12155?

A resource-permission flaw exists in the openstack-tripleo-heat-templates package, where the ceph.client.openstack.keyring is inadvertently created with world-readable permissions. This misconfiguration allows a local attacker with access to the key to act as the OpenStack service, presenting significant risks that include unauthorized reading and modification of data within Ceph cluster pools. Attackers could potentially gain access to sensitive information stored in OpenStack Block Storage volumes, leading to severe consequences for data integrity and confidentiality.

Affected Version(s)

openstack-tripleo-heat-templates Newton, Ocata, Pike and possibly older

References

https://access.redhat.com/errata/RHSA-2018:1593

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2018:1627

vendor-advisoryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=1489360

x_refsource_CONFIRM

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2017
Vulnerability Reserved
Aug 1, 2017

Openstack

What is CVE-2017-12155?

Affected Version(s)

References

CVSS V3.1

Timeline