{
  "threat_severity" : "Moderate",
  "public_date" : "2017-09-19T00:00:00Z",
  "bugzilla" : {
    "description" : "openstack-tripleo-heat-templates: Ceph client keyring is world-readable when deployed by director",
    "id" : "1489360",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.4",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-732",
  "details" : [ "A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.", "A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume. \nTo exploit this flaw, the attacker must have local access to an overcloud node. However by default, access to overcloud nodes is restricted and accessible only from the management undercloud server on an internal network.  Follow good security principles in your networking environment to ensure that network access is properly controlled." ],
  "acknowledgement" : "Red Hat would like to thank Katuya Kawakami (NEC) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenStack Platform 10.0 (Newton)",
    "release_date" : "2018-05-17T00:00:00Z",
    "advisory" : "RHSA-2018:1593",
    "cpe" : "cpe:/a:redhat:openstack:10::el7",
    "package" : "openstack-tripleo-heat-templates-0:5.3.10-1.el7ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10.0 (Newton)",
    "release_date" : "2018-05-17T00:00:00Z",
    "advisory" : "RHSA-2018:1593",
    "cpe" : "cpe:/a:redhat:openstack:10::el7",
    "package" : "puppet-tripleo-0:5.6.8-6.el7ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 11.0 (Ocata)",
    "release_date" : "2018-05-18T00:00:00Z",
    "advisory" : "RHSA-2018:1627",
    "cpe" : "cpe:/a:redhat:openstack:11::el7",
    "package" : "openstack-tripleo-heat-templates-0:6.2.12-2.el7ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 11.0 (Ocata)",
    "release_date" : "2018-05-18T00:00:00Z",
    "advisory" : "RHSA-2018:1627",
    "cpe" : "cpe:/a:redhat:openstack:11::el7",
    "package" : "puppet-tripleo-0:6.5.10-3.el7ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 12.0 (Pike)",
    "release_date" : "2018-03-28T00:00:00Z",
    "advisory" : "RHSA-2018:0602",
    "cpe" : "cpe:/a:redhat:openstack:12::el7",
    "package" : "openstack-tripleo-heat-templates-0:7.0.9-8.el7ost"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)",
    "fix_state" : "Will not fix",
    "package_name" : "openstack-tripleo-heat-templates",
    "cpe" : "cpe:/a:redhat:openstack:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Director",
    "fix_state" : "Will not fix",
    "package_name" : "openstack-tripleo-heat-templates",
    "cpe" : "cpe:/a:redhat:openstack-director:7"
  }, {
    "product_name" : "Red Hat OpenStack Platform 12 (Pike)",
    "fix_state" : "Not affected",
    "package_name" : "rhosp-director",
    "cpe" : "cpe:/a:redhat:openstack:12"
  }, {
    "product_name" : "Red Hat OpenStack Platform 8 (Liberty) Director",
    "fix_state" : "Will not fix",
    "package_name" : "openstack-tripleo-heat-templates",
    "cpe" : "cpe:/a:redhat:openstack-director:8"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9 (Mitaka) Director",
    "fix_state" : "Will not fix",
    "package_name" : "openstack-tripleo-heat-templates",
    "cpe" : "cpe:/a:redhat:openstack-director:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-12155\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-12155" ],
  "name" : "CVE-2017-12155",
  "mitigation" : {
    "value" : "To mitigate the flaw, use an overcloud post-deploy script[1] to do the following on all overcloud nodes:\nkey=/etc/ceph/ceph.client.openstack.keyring\nchown root:root $key\nchmod 600 $key\nsetfacl -m u:glance:r $key \nsetfacl -m u:cinder:r $key\nsetfacl -m u:nova:r $key\nsetfacl -m u: gnocchi:r $key\nIf not using Red Hat OpenStack Platform director, then run the commands above manually on each overcloud node, \nWarning: Only running 'chmod 600 $key' alone (without an ACL) will prevent OpenStack from reading the key.\n[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/11/html-single/advanced_overcloud_customization/#sect-Customizing_Overcloud_PostConfiguration_All",
    "lang" : "en:us"
  },
  "csaw" : false
}