[OSSA 2013-021] Cinder LVM volume driver does not support secure deletion (CVE-2013-4183)
OpenStack Security Advisory: 2013-021 CVE: CVE-2013-4183 Date: August 7, 2013 Title: Cinder LVM volume driver does not support secure deletion Reporter: Rongze Zhu (UnitedStack) Products: Cinder Affects: 2013.1 (Grizzly) and later
Description: Rongze Zhu from UnitedStack reported a vulnerability in the Cinder LVM volume driver. The contents of LVM snapshots may not be cleared upon deletion even when secure deletes are configured, resulting in potential exposure of latent data to subsequent servers for other tenants. Only setups using LVMVolumeDriver are affected.
Havana (development branch) fix: https://review.openstack.org/36506
Grizzly fix: https://review.openstack.org/39565
Notes: This fix is included in the havana-2 development milestone and will appear in a future 2013.1.3 release.
References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4183 https://launchpad.net/bugs/1198185
participants (1)
-
Jeremy Stanley