Bug 1290511 - (CVE-2015-7548) CVE-2015-7548 openstack-nova: Unprivileged API user can access host data using instance snapshot
CVE-2015-7548 openstack-nova: Unprivileged API user can access host data usin...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1295729 1295730 1295731 1295732 1295733 1296643 1296644
Blocks: 1290521
  Show dependency treegraph
Reported: 2015-12-10 12:24 EST by Adam Mariš
Modified: 2016-02-21 20:51 EST (History)
28 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was discovered in the OpenStack Compute (nova) snapshot feature when using the libvirt driver. A compute user could overwrite an attached instance disk with a malicious header specifying a backing file, and then request a snapshot, causing a file from the compute host to be leaked. This flaw only affects LVM or Ceph setups, or setups using filesystem storage with "use_cow_images = False".
Story Points: ---
Clone Of:
Last Closed: 2016-02-21 20:51:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-12-10 12:24:14 EST
A vulnerability in Nova instance snapshot was discovered. By overwriting the disk inside an instance with a malicious image and requesting a snapshot, an authenticated user would be able to read an arbitrary file from the compute host.

Host file needs to be readable by the nova user to be exposed except when using lvm for instance storage, when all files readable by root are exposed. Only setups using libvirt to spawn instances are vulnerable. Of these, setups which use filesystem storage, and do not set "use_cow_images = False" in Nova configuration are not affected. Setups which use ceph, lvm, or ploop for instance storage, and setups which use filesystem storage with "use_cow_images = False" are all affected.

Upstream bug:

Comment 5 Adam Mariš 2015-12-11 07:35:07 EST

This issue was discovered by Matthew Booth of Red Hat.
Comment 11 Kurt Seifried 2016-01-07 13:02:42 EST
Created openstack-nova tracking bugs for this issue:

Affects: fedora-all [bug 1296644]
Comment 12 Kurt Seifried 2016-01-07 13:04:48 EST
This is now public:

Comment 13 errata-xmlrpc 2016-01-10 18:21:23 EST
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2016:0017 https://rhn.redhat.com/errata/RHSA-2016-0017.html
Comment 14 errata-xmlrpc 2016-01-11 05:17:25 EST
This issue has been addressed in the following products:

  OpenStack 7 For RHEL 7
  OpenStack 5 for RHEL 7
  OpenStack 6 for RHEL 7

Via RHSA-2016:0018 https://rhn.redhat.com/errata/RHSA-2016-0018.html

Note You need to log in before you can comment on or make changes to this bug.