The OpenStack project reports: "" Title: Cinder-volume host data leak to vm instance Reporter: Duncan Thomas (HP) Products: Cinder Versions: up to 2014.1.2 Description: Duncan Thomas from Hewlett Packard reported a vulnerability in Cinder GlusterFS and Linux Smbfs driver. By overwriting a volume from within an instance with a malicious qcow2 header, an authenticated user may be able to clone and attach that corrupted volume resulting in affected drivers leaking an arbitrary file from the Cinder-volume host to the virtual instance. Note that the host file must be readable by the Cinder context to be exposed. Only Cinder setups using GlusterFS volume driver configured with glusterfs_qcow2_volumes=False (which is the default) or Cinder setups using Smbfs volume driver configured with smbfs_default_volume_format=raw (which is not the default) are affected. "" Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Duncan Thomas from Hewlett Packard as the original reporter.
Created attachment 942918 [details] upstream patch for juno
Created attachment 942919 [details] upstream patch for icehouse
Created attachment 942920 [details] upstream patch to fix an issue (caused by the previously attached patch) in the Windows Smbfs volume driver
This issue is public now: http://seclists.org/oss-sec/2014/q4/78 https://review.openstack.org/125671 https://review.openstack.org/125710
Created openstack-cinder tracking bugs for this issue: Affects: fedora-all [bug 1149051]
openstack-cinder-2014.1.3-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1788 https://rhn.redhat.com/errata/RHSA-2014-1788.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2014:1787 https://rhn.redhat.com/errata/RHSA-2014-1787.html