CVE-2017-15139: Infoleak
First published: Tue Jul 10 2018(Updated: )
A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenStack Cinder | <=12.0.4-7 | |
| Redhat Openstack | =10 | |
| Redhat Openstack | =13 | |
| redhat/cinder | <10.0.8 | 10.0.8 |
| redhat/cinder | <13.0.0.0 | 13.0.0.0 |
| redhat/cinder | <12.04 | 12.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2018:3601
- https://access.redhat.com/errata/RHSA-2019:0917
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15139
- https://wiki.openstack.org/wiki/OSSN/OSSN-0084
- https://bugs.launchpad.net/ossn/+bug/1699573
- https://git.openstack.org/cgit/openstack/cinder/commit/?id=5492e2206a7736079279f45e9c8b931ca19fb322
- https://git.openstack.org/cgit/openstack/cinder/commit/?id=7feb62197d371ab7253dc86a34af6ff8b484b4df
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1610143
- https://bugs.launchpad.net/cinder/+bug/1784871
- https://review.openstack.org/#/c/592001/
- https://review.openstack.org/593188
- https://review.openstack.org/#/c/593694/
- https://review.openstack.org/596879
- https://review.openstack.org/601681
- https://review.openstack.org/#/c/604105/
- https://review.openstack.org/#/c/606130/
- https://bugzilla.redhat.com/show_bug.cgi?id=1599899
Frequently Asked Questions
What is CVE-2017-15139?
CVE-2017-15139 is a vulnerability found in openstack-cinder releases up to and including Queens.
How does CVE-2017-15139 affect the software?
CVE-2017-15139 allows newly created volumes in certain storage volume configurations to contain previous data, specifically affecting ScaleIO volumes using thin volumes and zero padding.
What is the severity of CVE-2017-15139?
CVE-2017-15139 has a severity rating of 7.5 (high).
How can I fix CVE-2017-15139?
To fix CVE-2017-15139, update to a version of openstack-cinder that is beyond the affected releases.
Where can I find more information about CVE-2017-15139?
You can find more information about CVE-2017-15139 at the following references: [1] [2] [3]
- collector/nvd-index
- agent/softwarecombine
- agent/first-publish-date
- agent/type
- agent/remedy
- agent/weakness
- agent/references
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-15139
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/tags
- agent/event
- agent/source
- vendor/openstack
- canonical/openstack cinder
- version/openstack cinder/12.0.4-7
- vendor/redhat
- canonical/redhat openstack
- version/redhat openstack/10
- version/redhat openstack/13
- package-manager/redhat