Resource-Permission Flaw in OpenStack Tripleo Heat Templates
CVE-2017-12155

6.3MEDIUM

Key Information:

Vendor

Openstack
Status
Openstack-tripleo-heat-templates
Vendor
CVE Published:
12 December 2017

What is CVE-2017-12155?

A resource-permission flaw exists in the openstack-tripleo-heat-templates package, where the ceph.client.openstack.keyring is inadvertently created with world-readable permissions. This misconfiguration allows a local attacker with access to the key to act as the OpenStack service, presenting significant risks that include unauthorized reading and modification of data within Ceph cluster pools. Attackers could potentially gain access to sensitive information stored in OpenStack Block Storage volumes, leading to severe consequences for data integrity and confidentiality.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

openstack-tripleo-heat-templates Newton, Ocata, Pike and possibly older

References

https://access.redhat.com/errata/RHSA-2018:1593
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:1627
vendor-advisoryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=1489360
x_refsource_CONFIRM

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.