Bug 2278663 (2024-emu, CVE-2024-32498)

Summary: CVE-2024-32498 OpenStack: malicious qcow2/vmdk images
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: alfrgarc, athomas, brian.rosmaita, cinder-bugs, cyril, dasmith, eglynn, gfidente, hreitz, jhakimra, jjoyce, jschluet, kchamart, kwolf, lhh, lsvaty, ltoscano, mburns, mgarciac, osp-dfg-compute, pgrist, sbauza, security-response-team, sgordon, tsaito, tvignaud, udesale, vgoyal, vromanso, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An input validation flaw was discovered in how multiple OpenStack services validate images with backing file references. An authenticated attacker could provide a malicious image via upload, or by creating and modifying an image from an existing volume. Validation of images can be triggered during image upload or when attaching images to virtual machines. During this process, the affected OpenStack services could be tricked into reading or writing to the host with the equivalent privileges of QEMU. This bypasses isolation restrictions, significantly reducing the security of an affected compute host, and could enable arbitrary code execution, a denial of service, or leaking of secrets. If exploited, the immediate impact is limited to an individual compute host. However, if the attacker has access to multiple hosts and enough time to repeat it, they could potentially spread across all compute hosts.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2278665, 2278666, 2278667, 2278668, 2278669, 2278670, 2294740, 2295197, 2295307, 2295308, 2295309    
Bug Blocks: 2278671    

Description Mauro Matteo Cascella 2024-05-02 16:04:55 UTC 
A flaw was found in the OpenStack Compute (nova), Block Storage (cinder) and Image (glance) services in the way user-uploaded image files are validated through QEMU disk image utility (qemu-img). A QCOW2 or VMDK disk image containing a maliciously crafted reference could lead to an information disclosure vulnerability where the user can effectively read any file on the compute host that QEMU is allowed to read, potential file overwrite and unbounded memory/CPU consumption.
Comment 7 errata-xmlrpc 2024-07-02 16:41:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:4272 https://access.redhat.com/errata/RHSA-2024:4272
Comment 8 errata-xmlrpc 2024-07-02 16:43:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:4273 https://access.redhat.com/errata/RHSA-2024:4273
Comment 9 errata-xmlrpc 2024-07-02 16:44:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 8

Via RHSA-2024:4274 https://access.redhat.com/errata/RHSA-2024:4274
Comment 15 errata-xmlrpc 2024-07-09 12:11:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2024:4425 https://access.redhat.com/errata/RHSA-2024:4425