Bug 1290511 (CVE-2015-7548) - CVE-2015-7548 openstack-nova: Unprivileged API user can access host data using instance snapshot
Summary: CVE-2015-7548 openstack-nova: Unprivileged API user can access host data usin...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-7548
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1295729 1295730 1295731 1295732 1295733 1296643 1296644
Blocks: 1290521
TreeView+ depends on / blocked
 
Reported: 2015-12-10 17:24 UTC by Adam Mariš
Modified: 2023-05-12 21:11 UTC (History)
33 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was discovered in the OpenStack Compute (nova) snapshot feature when using the libvirt driver. A compute user could overwrite an attached instance disk with a malicious header specifying a backing file, and then request a snapshot, causing a file from the compute host to be leaked. This flaw only affects LVM or Ceph setups, or setups using filesystem storage with "use_cow_images = False".
Clone Of:
Environment:
Last Closed: 2016-02-22 01:51:08 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0017 0 normal SHIPPED_LIVE Important: openstack-nova security advisory 2016-01-11 04:20:21 UTC
Red Hat Product Errata RHSA-2016:0018 0 normal SHIPPED_LIVE Important: openstack-nova security update 2016-01-11 15:17:02 UTC

Description Adam Mariš 2015-12-10 17:24:14 UTC 
A vulnerability in Nova instance snapshot was discovered. By overwriting the disk inside an instance with a malicious image and requesting a snapshot, an authenticated user would be able to read an arbitrary file from the compute host.

Host file needs to be readable by the nova user to be exposed except when using lvm for instance storage, when all files readable by root are exposed. Only setups using libvirt to spawn instances are vulnerable. Of these, setups which use filesystem storage, and do not set "use_cow_images = False" in Nova configuration are not affected. Setups which use ceph, lvm, or ploop for instance storage, and setups which use filesystem storage with "use_cow_images = False" are all affected.

Upstream bug:

https://bugs.launchpad.net/nova/+bug/1524274
Comment 5 Adam Mariš 2015-12-11 12:35:07 UTC 
Acknowledgements:

This issue was discovered by Matthew Booth of Red Hat.
Comment 11 Kurt Seifried 2016-01-07 18:02:42 UTC 
Created openstack-nova tracking bugs for this issue:

Affects: fedora-all [bug 1296644]
Comment 12 Kurt Seifried 2016-01-07 18:04:48 UTC 
This is now public:

http://seclists.org/oss-sec/2016/q1/40
Comment 13 errata-xmlrpc 2016-01-10 23:21:23 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2016:0017 https://rhn.redhat.com/errata/RHSA-2016-0017.html
Comment 14 errata-xmlrpc 2016-01-11 10:17:25 UTC 
This issue has been addressed in the following products:

  OpenStack 7 For RHEL 7
  OpenStack 5 for RHEL 7
  OpenStack 6 for RHEL 7

Via RHSA-2016:0018 https://rhn.redhat.com/errata/RHSA-2016-0018.html
Note You need to log in before you can comment on or make changes to this bug.