CVE-2017-12155
First published: Thu Sep 07 2017(Updated: )
A resource-permission flaw was found in the `tripleo-heat-templates` package where `ceph.client.openstack.keyring` is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume. This has been patched in versions [7.0.6](https://github.com/openstack/tripleo-heat-templates/commit/a18fd59077d97de83496c85c017b9d256a3eddd4) and [8.0.0](https://github.com/openstack/tripleo-heat-templates/commit/ce7b65f443d38a6627631f53cb22336338e97d30).
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/tripleo-heat-templates | <7.0.6 | 7.0.6 |
| redhat/puppet-tripleo | <7.4.7 | 7.4.7 |
| redhat/puppet-tripleo | <6.5.7 | 6.5.7 |
| Ceph |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2017-12155
- https://access.redhat.com/errata/RHSA-2018:0602
- https://access.redhat.com/errata/RHSA-2018:1593
- https://access.redhat.com/errata/RHSA-2018:1627
- https://bugs.launchpad.net/tripleo/+bug/1720787
- https://bugzilla.redhat.com/show_bug.cgi?id=1489360
- https://opendev.org/openstack/tripleo-heat-templates/commit/a18fd59077d97de83496c85c017b9d256a3eddd4
- https://opendev.org/openstack/tripleo-heat-templates/commit/ce7b65f443d38a6627631f53cb22336338e97d30
- https://github.com/advisories/GHSA-w8gx-hhcx-px6w (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1462657
- https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/11/html-single/advanced_overcloud_customization/#sect-Customizing_Overcloud_PostConfiguration_All
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1493311
- https://review.openstack.org/519531
- https://review.openstack.org/508975
- https://review.openstack.org/522024
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1489360#c13
Frequently Asked Questions
What is the severity of CVE-2017-12155?
CVE-2017-12155 is classified as a medium severity vulnerability due to its potential impact on data integrity and security in Ceph clusters.
How do I fix CVE-2017-12155?
To fix CVE-2017-12155, update the `tripleo-heat-templates` package to version 7.0.6 or later.
What type of vulnerability is CVE-2017-12155?
CVE-2017-12155 is a resource-permission flaw that allows unauthorized access to sensitive data.
Who is affected by CVE-2017-12155?
CVE-2017-12155 affects any user or organization using the `tripleo-heat-templates` package with Ceph in an OpenStack environment.
What are the consequences of CVE-2017-12155?
The consequences of CVE-2017-12155 include a local attacker being able to read or modify data on Ceph cluster pools as if they were an authorized OpenStack service.
- collector/github-advisory-latest
- alias/GHSA-w8gx-hhcx-px6w
- alias/CVE-2017-12155
- collector/github-advisory
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/event
- agent/last-modified-date
- agent/description
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/pip
- package-manager/redhat
- vendor/ceph
- canonical/ceph