A vulnerability in Nova instance snapshot was discovered. By overwriting the disk inside an instance with a malicious image and requesting a snapshot, an authenticated user would be able to read an arbitrary file from the compute host. Host file needs to be readable by the nova user to be exposed except when using lvm for instance storage, when all files readable by root are exposed. Only setups using libvirt to spawn instances are vulnerable. Of these, setups which use filesystem storage, and do not set "use_cow_images = False" in Nova configuration are not affected. Setups which use ceph, lvm, or ploop for instance storage, and setups which use filesystem storage with "use_cow_images = False" are all affected. Upstream bug: https://bugs.launchpad.net/nova/+bug/1524274
Acknowledgements: This issue was discovered by Matthew Booth of Red Hat.
Created openstack-nova tracking bugs for this issue: Affects: fedora-all [bug 1296644]
This is now public: http://seclists.org/oss-sec/2016/q1/40
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2016:0017 https://rhn.redhat.com/errata/RHSA-2016-0017.html
This issue has been addressed in the following products: OpenStack 7 For RHEL 7 OpenStack 5 for RHEL 7 OpenStack 6 for RHEL 7 Via RHSA-2016:0018 https://rhn.redhat.com/errata/RHSA-2016-0018.html