rhsa-2020:4391
Vulnerability from csaf_redhat
Published
2020-10-28 18:24
Modified
2025-08-04 07:11
Summary
Red Hat Security Advisory: openstack-cinder security update
Notes
Topic
An update for OpenStack Block Storage (cinder) is now available for Red Hat OpenStack Platform 13 (Queens).
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details
OpenStack Block Storage (cinder) manages block storage mounting and the
presentation of such mounted block storage to instances. The backend
physical storage can consist of local disks, or Fiber Channel, iSCSI, and
NFS mounts attached to Compute nodes. In addition, Block Storage supports
volume backups, and snapshots for temporary save and restore operations.
Programmatic management is available via Block Storage's API.
Security Fix(es):
* Improper handling of ScaleIO backend credentials (CVE-2020-10755)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Before this update, FC live migration was failing. With this update, the correct device information is now sent to os-brick for FC for the corresponding host. Also, the device is now removed from the correct masking view when the live migration process has failed on the Compute node. (BZ#1841157)
* Before this update, the 3PAR driver did not look at the `_name_id` field for a possible volume ID, which caused volumes to be unusable after a live migration. With this update, the driver is now aware of the `_name_id` field as an alternative location for the volume ID, and live migrated volumes now work as expected. (BZ#1841866)
* Before this update, the internal temporary snapshot, created during async migration when creating a volume from a snapshot, was not being deleted from the VNX storage.
For example, if we create a new volume, V2, from snapshot S1, which we created from volume V1, an internal temporary snapshot, S2, is created from copying S1. V1 now has two snapshots, S1 and S2. Although we delete V1, V2 and S1 from OpenStack Block Storage (cinder), S2 is not deleted. This causes both V1 and S2 to remain on the VNX storage.
With this update, the temporary snapshot, S2, is deleted, and V1 can be successfully deleted. (BZ#1843196)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for OpenStack Block Storage (cinder) is now available for Red Hat OpenStack Platform 13 (Queens).\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Block Storage (cinder) manages block storage mounting and the\npresentation of such mounted block storage to instances. The backend\nphysical storage can consist of local disks, or Fiber Channel, iSCSI, and\nNFS mounts attached to Compute nodes. In addition, Block Storage supports\nvolume backups, and snapshots for temporary save and restore operations.\nProgrammatic management is available via Block Storage\u0027s API.\n\nSecurity Fix(es):\n\n* Improper handling of ScaleIO backend credentials (CVE-2020-10755)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Before this update, FC live migration was failing. With this update, the correct device information is now sent to os-brick for FC for the corresponding host. Also, the device is now removed from the correct masking view when the live migration process has failed on the Compute node. (BZ#1841157)\n\n* Before this update, the 3PAR driver did not look at the `_name_id` field for a possible volume ID, which caused volumes to be unusable after a live migration. With this update, the driver is now aware of the `_name_id` field as an alternative location for the volume ID, and live migrated volumes now work as expected. (BZ#1841866)\n\n* Before this update, the internal temporary snapshot, created during async migration when creating a volume from a snapshot, was not being deleted from the VNX storage.\n\nFor example, if we create a new volume, V2, from snapshot S1, which we created from volume V1, an internal temporary snapshot, S2, is created from copying S1. V1 now has two snapshots, S1 and S2. Although we delete V1, V2 and S1 from OpenStack Block Storage (cinder), S2 is not deleted. This causes both V1 and S2 to remain on the VNX storage.\n\nWith this update, the temporary snapshot, S2, is deleted, and V1 can be successfully deleted. (BZ#1843196)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:4391",
"url": "https://access.redhat.com/errata/RHSA-2020:4391"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1741730",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1741730"
},
{
"category": "external",
"summary": "1812988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1812988"
},
{
"category": "external",
"summary": "1841157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1841157"
},
{
"category": "external",
"summary": "1842748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1842748"
},
{
"category": "external",
"summary": "1843088",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843088"
},
{
"category": "external",
"summary": "1843196",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843196"
},
{
"category": "external",
"summary": "1870569",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1870569"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_4391.json"
}
],
"title": "Red Hat Security Advisory: openstack-cinder security update",
"tracking": {
"current_release_date": "2025-08-04T07:11:56+00:00",
"generator": {
"date": "2025-08-04T07:11:56+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2020:4391",
"initial_release_date": "2020-10-28T18:24:18+00:00",
"revision_history": [
{
"date": "2020-10-28T18:24:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-10-28T18:24:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-04T07:11:56+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 13.0",
"product": {
"name": "Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:13::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server",
"product": {
"name": "Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server",
"product_id": "7Server-7.6.EUS-RH7-RHOS-13.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:13::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-cinder-1:12.0.10-19.el7ost.noarch",
"product": {
"name": "openstack-cinder-1:12.0.10-19.el7ost.noarch",
"product_id": "openstack-cinder-1:12.0.10-19.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-cinder@12.0.10-19.el7ost?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "python-cinder-1:12.0.10-19.el7ost.noarch",
"product": {
"name": "python-cinder-1:12.0.10-19.el7ost.noarch",
"product_id": "python-cinder-1:12.0.10-19.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-cinder@12.0.10-19.el7ost?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-cinder-1:12.0.10-19.el7ost.src",
"product": {
"name": "openstack-cinder-1:12.0.10-19.el7ost.src",
"product_id": "openstack-cinder-1:12.0.10-19.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-cinder@12.0.10-19.el7ost?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-cinder-1:12.0.10-19.el7ost.noarch as a component of Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server",
"product_id": "7Server-7.6.EUS-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.noarch"
},
"product_reference": "openstack-cinder-1:12.0.10-19.el7ost.noarch",
"relates_to_product_reference": "7Server-7.6.EUS-RH7-RHOS-13.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-cinder-1:12.0.10-19.el7ost.src as a component of Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server",
"product_id": "7Server-7.6.EUS-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.src"
},
"product_reference": "openstack-cinder-1:12.0.10-19.el7ost.src",
"relates_to_product_reference": "7Server-7.6.EUS-RH7-RHOS-13.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-cinder-1:12.0.10-19.el7ost.noarch as a component of Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server",
"product_id": "7Server-7.6.EUS-RH7-RHOS-13.0:python-cinder-1:12.0.10-19.el7ost.noarch"
},
"product_reference": "python-cinder-1:12.0.10-19.el7ost.noarch",
"relates_to_product_reference": "7Server-7.6.EUS-RH7-RHOS-13.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-cinder-1:12.0.10-19.el7ost.noarch as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.noarch"
},
"product_reference": "openstack-cinder-1:12.0.10-19.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-cinder-1:12.0.10-19.el7ost.src as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.src"
},
"product_reference": "openstack-cinder-1:12.0.10-19.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-cinder-1:12.0.10-19.el7ost.noarch as a component of Red Hat OpenStack Platform 13.0",
"product_id": "7Server-RH7-RHOS-13.0:python-cinder-1:12.0.10-19.el7ost.noarch"
},
"product_reference": "python-cinder-1:12.0.10-19.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-13.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"David Hill",
"Eric Harney"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2020-10755",
"cwe": {
"id": "CWE-522",
"name": "Insufficiently Protected Credentials"
},
"discovery_date": "2019-04-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1842748"
}
],
"notes": [
{
"category": "description",
"text": "An insecure-credentials flaw was found in openstack-cinder. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the ``connection_info`` element in all Block Storage v3 Attachments API calls containing that element. This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user\u0027s volume. Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint. Source: OpenStack project",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "openstack-cinder: Improper handling of ScaleIO backend credentials",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In addition to the software updates for this flaw, you must deploy a new configuration file on compute nodes, cinder nodes, and anywhere you would perform a volume attachment in your deployment. For detailed information, refer to referenced article.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-7.6.EUS-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.noarch",
"7Server-7.6.EUS-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.src",
"7Server-7.6.EUS-RH7-RHOS-13.0:python-cinder-1:12.0.10-19.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.src",
"7Server-RH7-RHOS-13.0:python-cinder-1:12.0.10-19.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-10755"
},
{
"category": "external",
"summary": "RHBZ#1842748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1842748"
},
{
"category": "external",
"summary": "RHSB-5144231",
"url": "https://access.redhat.com/articles/5144231"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-10755",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10755"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10755",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10755"
},
{
"category": "external",
"summary": "https://wiki.openstack.org/wiki/OSSN/OSSN-0086",
"url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0086"
}
],
"release_date": "2020-06-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-10-28T18:24:18+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-7.6.EUS-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.noarch",
"7Server-7.6.EUS-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.src",
"7Server-7.6.EUS-RH7-RHOS-13.0:python-cinder-1:12.0.10-19.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.src",
"7Server-RH7-RHOS-13.0:python-cinder-1:12.0.10-19.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:4391"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"7Server-7.6.EUS-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.noarch",
"7Server-7.6.EUS-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.src",
"7Server-7.6.EUS-RH7-RHOS-13.0:python-cinder-1:12.0.10-19.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.src",
"7Server-RH7-RHOS-13.0:python-cinder-1:12.0.10-19.el7ost.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-7.6.EUS-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.noarch",
"7Server-7.6.EUS-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.src",
"7Server-7.6.EUS-RH7-RHOS-13.0:python-cinder-1:12.0.10-19.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.noarch",
"7Server-RH7-RHOS-13.0:openstack-cinder-1:12.0.10-19.el7ost.src",
"7Server-RH7-RHOS-13.0:python-cinder-1:12.0.10-19.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "openstack-cinder: Improper handling of ScaleIO backend credentials"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…