Grant Murphy of Red Hat reports: Title: Live migration can leak root disk into ephemeral storage Reporter: Loganathan Parthipan (HP) Products: Nova Affects: All supported versions Description: Loganathan Parthipan from Hewlett Packard reported a vulnerability in the Nova libvirt driver. By spawning a server with the same flavor as another user's migrated virtual machine, an authenticated user can potentially access that user's snapshot content resulting in information leakage. Only setups using KVM live block migration are affected.
Created attachment 852636 [details] CVE-2013-7130-master.patch
Created attachment 852637 [details] CVE-2013-7130-stable-grizzly.patch
Created attachment 852638 [details] CVE-2013-7130-stable-havana.patch
Created openstack-nova tracking bugs for this issue: Affects: fedora-all [bug 1057310] Affects: epel-6 [bug 1057311]
openstack-nova-2013.2.1-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
openstack-nova-2013.1.4-6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. The OpenStack project acknowledges Loganathan Parthipan as the original reporter.
This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:0231 https://rhn.redhat.com/errata/RHSA-2014-0231.html
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0366 https://rhn.redhat.com/errata/RHSA-2014-0366.html