date: 2013-08-07

id: OSSA-2013-021

title: 'Cinder LVM volume driver does not support secure deletion'

description: 'Rongze Zhu from UnitedStack reported a vulnerability in the Cinder LVM
  volume driver. The contents of LVM snapshots may not be cleared upon deletion even
  when secure deletes are configured, resulting in potential exposure of latent data
  to subsequent servers for other tenants. Only setups using LVMVolumeDriver are affected.'

reference: http://lists.openstack.org/pipermail/openstack/2013-August/000415.html

affected-products:

  - product: cinder
    version: 2013.1 (Grizzly) and later

vulnerabilities:

  - cve-id: CVE-2013-4183
    impact-assessment:
      source: 'Red Hat Product Security'
      rating: moderate
      assessment:
        type: CVSS2
        score: 3.5
        detail: AV:N/AC:M/Au:S/C:P/I:N/A:N
    classification:
      source: 'Red Hat Product Security'
      type: CWE
      detail: TODO

reporters:

  - name: 'Rongze Zhu'
    affiliation: UnitedStack
    reported:
      - CVE-2013-4183

issues:

  links:
    - https://launchpad.net/bugs/1198185

  type: launchpad

reviews:

  havana:
    - https://review.openstack.org/#/c/36506

  grizzly:
    - https://review.openstack.org/#/c/39565

  type: gerrit