Title: Host file disclosure through qcow2 backing file Reporter: Bastian Blank (credativ) Products: Cinder and Nova Affects: up to 2014.1.4 and 2014.2 versions through 2014.2.2 Description: Bastian Blank from credativ reported a vulnerability in Cinder and Nova. By overwriting an image with a malicious qcow2 header, an authenticated user may mislead Cinder upload-to-image action, resulting in disclosure of any file from the Cinder server. A similar vulnerability in Nova can also be used by an authenticated user to trick Nova during a snapshot upload, resulting in disclosure of any file for which the Nova process user has access to. All Cinder and Nova setups are affected. Upstream bug: https://bugs.launchpad.net/cinder/+bug/1415087 Suggested patches can be found here: https://bugs.launchpad.net/cinder/+bug/1415087/+attachment/4362440/+files/0001-Disallow-backing-files-when-uploading-volumes-to-ima.patch https://bugs.launchpad.net/cinder/+bug/1415087/+attachment/4340460/+files/0001-Require-source-image-format-for-convert_image-calls.patch
Created openstack-cinder tracking bugs for this issue: Affects: fedora-all [bug 1231821] Affects: openstack-rdo [bug 1231822]
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 OpenStack 5 for RHEL 7 OpenStack 6 for RHEL 7 Via RHSA-2015:1206 https://rhn.redhat.com/errata/RHSA-2015-1206.html