Vulnerability Description
A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ceph | Ceph | - |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2018:0602
- https://access.redhat.com/errata/RHSA-2018:1593
- https://access.redhat.com/errata/RHSA-2018:1627
- https://bugs.launchpad.net/tripleo/+bug/1720787Issue TrackingPatch
- https://bugzilla.redhat.com/show_bug.cgi?id=1489360Issue TrackingMitigation
- https://access.redhat.com/errata/RHSA-2018:0602
- https://access.redhat.com/errata/RHSA-2018:1593
- https://access.redhat.com/errata/RHSA-2018:1627
- https://bugs.launchpad.net/tripleo/+bug/1720787Issue TrackingPatch
- https://bugzilla.redhat.com/show_bug.cgi?id=1489360Issue TrackingMitigation
FAQ
What is CVE-2017-12155?
CVE-2017-12155 is a vulnerability with a CVSS score of 6.3 (MEDIUM). A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could rea...
How severe is CVE-2017-12155?
CVE-2017-12155 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-12155?
Check the references section above for vendor advisories and patch information. Affected products include: Ceph Ceph.