Bug 956604 (CVE-2015-7514) - VUL-0: CVE-2015-7514: openstack-ironic: Ironic does not honor clean steps
Summary: VUL-0: CVE-2015-7514: openstack-ironic: Ironic does not honor clean steps
Status: RESOLVED FIXED
Alias: CVE-2015-7514
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-25 08:51 UTC by Alexander Bergmann
Modified: 2015-12-15 18:00 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Swamp Workflow Management 2015-11-25 23:00:24 UTC 
bugbot adjusting priority
Comment 4 Marcus Meissner 2015-12-04 11:27:12 UTC 
is public
Comment 5 Marcus Meissner 2015-12-04 11:28:27 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================
OpenStack Ironic does not honor clean steps
===========================================

:Date: December 03, 2015
:CVE: CVE-2015-7514


Affects
~~~~~~~
- - Ironic: >= 4.2.0, <= 4.2.1


Description
~~~~~~~~~~~
Brad Morgan from Rackspace reported a vulnerability in Ironic. To
prevent user data leak, Ironic is expected to "clean" a server after
use, however that is transparently not happening. Previous tenant's data
may be left behind on the disk and may be available to new users. All
Ironic setups are affected.

Patches
~~~~~~~
- - https://review.openstack.org/#/c/253001 (Liberty)
- - https://review.openstack.org/#/c/252993 (Mitaka)


Credits
~~~~~~~
- - Brad Morgan from Rackspace (CVE-2015-7514)


References
~~~~~~~~~~
- - https://bugs.launchpad.net/bugs/1517277
- - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7514


Notes
~~~~~
- - This fix will be included in a future 4.2.2 release.
- - This fix will be included in a future 4.3 release.
Comment 6 Marcus Meissner 2015-12-04 11:29:24 UTC 
seems to be on Cloud 6

Devel:Cloud:6                           openstack-ironic  4.2.2~a0~dev5  3    9c2dcc1dcf786ca17cdedfc28c2f68fe
Devel:Cloud:6:Staging                   openstack-ironic  -              1    83582b7f4bfa51b9be5b84804f6af755
SUSE:SLE-12-SP1:Update:Products:Cloud6  openstack-ironic  4.2.2~a0~dev5  2    b84721854a6e8d1c385c2caefdb9304c


Not clear if fixed already.
Comment 7 Vincent Untz 2015-12-08 11:13:15 UTC 
(In reply to Marcus Meissner from comment #6)
> seems to be on Cloud 6
> 
> Devel:Cloud:6                           openstack-ironic  4.2.2~a0~dev5  3  
> 9c2dcc1dcf786ca17cdedfc28c2f68fe
> Devel:Cloud:6:Staging                   openstack-ironic  -              1  
> 83582b7f4bfa51b9be5b84804f6af755
> SUSE:SLE-12-SP1:Update:Products:Cloud6  openstack-ironic  4.2.2~a0~dev5  2  
> b84721854a6e8d1c385c2caefdb9304c
> 
> 
> Not clear if fixed already.

Fix will be in GM for sure, and should be in next milestone already if we submit more changes than what we already submitted.

I added the CVE and bug number to the .changes file.
Comment 8 Marcus Meissner 2015-12-08 12:40:28 UTC 
thanks!