|
Message-ID: <a2972f5b-b716-52f2-732f-093081865c65@redhat.com>
Date: Tue, 10 Jul 2018 09:22:25 +0100
From: Luke Hinds <lhinds@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: [OSSN-0084] Data retained after deletion of a ScaleIO volume
Data retained after deletion of a ScaleIO volume
---
### Summary ###
Certain storage volume configurations allow newly created volumes to
contain previous data. This could lead to leakage of sensitive
information between tenants.
### Affected Services / Software ###
Cinder releases up to and including Queens with ScaleIO volumes
using thin volumes and zero padding.
### Discussion ###
Using both thin volumes and zero padding does not ensure data contained
in a volume is actually deleted. The default volume provisioning rule is
set to thick so most installations are likely not affected. Operators
can check their configuration in `cinder.conf` or check for zero padding
with this command `scli --query_all`.
#### Recommended Actions ####
Operators can use the following two workarounds, until the release of
Rocky (planned 30th August 2018) which resolves the issue.
1. Swap to thin volumes
2. Ensure ScaleIO storage pools use zero-padding with:
`scli --modify_zero_padding_policy
(((--protection_domain_id <ID> |
--protection_domain_name <NAME>)
--storage_pool_name <NAME>) | --storage_pool_id <ID>)
(--enable_zero_padding | --disable_zero_padding)`
### Contacts / References ###
Author: Nick Tait
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0084
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1699573
Mailing List : [Security] tag on openstack-dev@...ts.openstack.org
OpenStack Security Project : https://launchpad.net/~openstack-ossg
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.