OpenStack Security Advisory: 2013-021 CVE: CVE-2013-4183 Date: August 7, 2013 Title: Cinder LVM volume driver does not support secure deletion Reporter: Rongze Zhu (UnitedStack) Products: Cinder Affects: 2013.1 (Grizzly) and later Description: Rongze Zhu from UnitedStack reported a vulnerability in the Cinder LVM volume driver. The contents of LVM snapshots may not be cleared upon deletion even when secure deletes are configured, resulting in potential exposure of latent data to subsequent servers for other tenants. Only setups using LVMVolumeDriver are affected. Havana (development branch) fix: https://review.openstack.org/36506 Grizzly fix: https://review.openstack.org/39565 Notes: This fix is included in the havana-2 development milestone and will appear in a future 2013.1.3 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4183 https://launchpad.net/bugs/1198185 -- Jeremy Stanley OpenStack Vulnerability Management Team