Vulnerability Details : CVE-2017-12155
A resource-permission flaw was found in the openstack-tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume.
Products affected by CVE-2017-12155
- cpe:2.3:a:ceph:ceph:-:*:*:*:*:openstack:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-12155
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-12155
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.3
|
LOW | AV:L/AC:M/Au:N/C:P/I:P/A:N |
3.4
|
4.9
|
NIST | |
6.3
|
MEDIUM | CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
1.0
|
5.2
|
NIST |
CWE ids for CVE-2017-12155
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-12155
-
https://access.redhat.com/errata/RHSA-2018:0602
RHSA-2018:0602 - Security Advisory - Red Hat Customer Portal
-
https://bugzilla.redhat.com/show_bug.cgi?id=1489360
1489360 – (CVE-2017-12155) CVE-2017-12155 openstack-tripleo-heat-templates: Ceph client keyring is world-readable when deployed by directorIssue Tracking;Mitigation
-
https://access.redhat.com/errata/RHSA-2018:1593
RHSA-2018:1593 - Security Advisory - Red Hat Customer Portal
-
https://bugs.launchpad.net/tripleo/+bug/1720787
Bug #1720787 “TripleO deploys ceph client keyring with 644 permi...” : Bugs : tripleoIssue Tracking;Patch
-
https://access.redhat.com/errata/RHSA-2018:1627
RHSA-2018:1627 - Security Advisory - Red Hat Customer Portal
Jump to