Bug 1290511 (CVE-2015-7548)

Summary: CVE-2015-7548 openstack-nova: Unprivileged API user can access host data using instance snapshot
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, berrange, chrisw, dallan, dasmith, eglynn, gkotton, gmollett, jjoyce, jschluet, kbasil, kchamart, lhh, lpeer, markmc, mbooth, mburns, ndipanov, nova-maint, rbryant, sbauza, sclewis, security-response-team, sferdjao, sgordon, slinaber, slong, tdecacqu, vromanso, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was discovered in the OpenStack Compute (nova) snapshot feature when using the libvirt driver. A compute user could overwrite an attached instance disk with a malicious header specifying a backing file, and then request a snapshot, causing a file from the compute host to be leaked. This flaw only affects LVM or Ceph setups, or setups using filesystem storage with "use_cow_images = False".
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-22 01:51:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1295729, 1295730, 1295731, 1295732, 1295733, 1296643, 1296644    
Bug Blocks: 1290521    

Description Adam Mariš 2015-12-10 17:24:14 UTC 
A vulnerability in Nova instance snapshot was discovered. By overwriting the disk inside an instance with a malicious image and requesting a snapshot, an authenticated user would be able to read an arbitrary file from the compute host.

Host file needs to be readable by the nova user to be exposed except when using lvm for instance storage, when all files readable by root are exposed. Only setups using libvirt to spawn instances are vulnerable. Of these, setups which use filesystem storage, and do not set "use_cow_images = False" in Nova configuration are not affected. Setups which use ceph, lvm, or ploop for instance storage, and setups which use filesystem storage with "use_cow_images = False" are all affected.

Upstream bug:

https://bugs.launchpad.net/nova/+bug/1524274
Comment 5 Adam Mariš 2015-12-11 12:35:07 UTC 
Acknowledgements:

This issue was discovered by Matthew Booth of Red Hat.
Comment 11 Kurt Seifried 2016-01-07 18:02:42 UTC 
Created openstack-nova tracking bugs for this issue:

Affects: fedora-all [bug 1296644]
Comment 12 Kurt Seifried 2016-01-07 18:04:48 UTC 
This is now public:

http://seclists.org/oss-sec/2016/q1/40
Comment 13 errata-xmlrpc 2016-01-10 23:21:23 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2016:0017 https://rhn.redhat.com/errata/RHSA-2016-0017.html
Comment 14 errata-xmlrpc 2016-01-11 10:17:25 UTC 
This issue has been addressed in the following products:

  OpenStack 7 For RHEL 7
  OpenStack 5 for RHEL 7
  OpenStack 6 for RHEL 7

Via RHSA-2016:0018 https://rhn.redhat.com/errata/RHSA-2016-0018.html