CVE-2017-7549

A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.

Weakness

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

Affected Software

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/149.html
• https://cwe.mitre.org/data/definitions/155.html

References

• http://www.securityfocus.com/bid/100407
• https://access.redhat.com/errata/RHSA-2017:2557
• https://access.redhat.com/errata/RHSA-2017:2649
• https://access.redhat.com/errata/RHSA-2017:2687
• https://access.redhat.com/errata/RHSA-2017:2693
• https://access.redhat.com/errata/RHSA-2017:2726
• https://bugzilla.redhat.com/show_bug.cgi?id=1477403
• http://www.securityfocus.com/bid/100407
• https://access.redhat.com/errata/RHSA-2017:2557
• https://access.redhat.com/errata/RHSA-2017:2649
• https://access.redhat.com/errata/RHSA-2017:2687
• https://access.redhat.com/errata/RHSA-2017:2693
• https://access.redhat.com/errata/RHSA-2017:2726
• https://bugzilla.redhat.com/show_bug.cgi?id=1477403