CVE-2017-12155

Description

A resource-permission flaw was found in the `tripleo-heat-templates` package where `ceph.client.openstack.keyring` is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume. This has been patched in versions [7.0.6](https://github.com/openstack/tripleo-heat-templates/commit/a18fd59077d97de83496c85c017b9d256a3eddd4) and [8.0.0](https://github.com/openstack/tripleo-heat-templates/commit/ce7b65f443d38a6627631f53cb22336338e97d30).

How to fix CVE-2017-12155

To remediate CVE-2017-12155, upgrade the affected package to a fixed version below.

• —upgrade to 7.0.6 or later

Is CVE-2017-12155 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 7.0.6

CVSS scores

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-12155
• PATCHgithub.com/openstack/tripleo-heat-templates
• WEBaccess.redhat.com/errata/RHSA-2018:0602
• WEBaccess.redhat.com/errata/RHSA-2018:1593
• WEB