Bug 2179587 (CVE-2023-2088)

Summary: CVE-2023-2088 openstack-cinder: silently access other user's volumes
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: apevec, cgussobo, cinder-bugs, cyril, dasmith, eglynn, jhakimra, jjoyce, jschluet, kchamart, lhh, mburns, mgarciac, osp-dfg-compute, pgrist, rhos-maint, sbauza, security-response-team, sgordon, spower, vromanso
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-17 08:31:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2186886, 2186887, 2186888, 2186889, 2186890, 2186891, 2186892, 2186893, 2186896, 2186897, 2186898, 2186899, 2186903, 2186904, 2188059, 2188060, 2188061, 2188062, 2196860, 2196861, 2196862, 2196863, 2196864    
Bug Blocks: 2176786    

Description Nick Tait 2023-03-18 22:10:46 UTC 
https://bugs.launchpad.net/nova/+bug/2004555
Comment 5 Nick Tait 2023-05-10 14:48:03 UTC 
Created openstack-cinder tracking bugs for this issue:

Affects: openstack-rdo [bug 2196861]


Created openstack-nova tracking bugs for this issue:

Affects: openstack-rdo [bug 2196860]


Created python-glance-store tracking bugs for this issue:

Affects: openstack-rdo [bug 2196864]


Created python-os-brick tracking bugs for this issue:

Affects: openstack-rdo [bug 2196862]


Created tripleo-ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 2196863]
Comment 6 errata-xmlrpc 2023-05-17 00:59:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2023:3156 https://access.redhat.com/errata/RHSA-2023:3156
Comment 7 errata-xmlrpc 2023-05-17 01:00:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.0

Via RHSA-2023:3157 https://access.redhat.com/errata/RHSA-2023:3157
Comment 8 errata-xmlrpc 2023-05-17 01:01:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:3158 https://access.redhat.com/errata/RHSA-2023:3158
Comment 9 errata-xmlrpc 2023-05-17 01:54:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 - ELS
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2023:3161 https://access.redhat.com/errata/RHSA-2023:3161
Comment 10 Product Security DevOps Team 2023-05-17 08:31:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-2088