Bug 836076 (CVE-2012-3360) - CVE-2012-3360 OpenStack-Nova: compute nodes file injection in disk images
Summary: CVE-2012-3360 OpenStack-Nova: compute nodes file injection in disk images
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-3360
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 844036 844040
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-28 03:41 UTC by Kurt Seifried
Modified: 2019-09-29 12:53 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-12 19:05:15 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2012-06-28 03:41:40 UTC
Thierry Carrez <thierry@openstack.org> reports:

Title: Arbitrary file injection/corruption through directory
traversal issues Impact: Critical Reporter: Matthias Weckbecker
(SUSE Security team)

Description: Matthias Weckbecker from SUSE Security team reported a
vulnerability in Nova compute nodes handling of file injection in
disk images. By requesting files to be injected in malicious paths,
a remote authenticated user could inject files in arbitrary
locations on the host file system, potentially resulting in full
compromise of the compute node. Only Essex and later setups running
the OpenStack API over libvirt-based hypervisors are affected.

Comment 1 Kurt Seifried 2012-07-03 19:24:22 UTC
This is public now www.openwall.com/lists/oss-security/2012/07/03/2 filing trackers

Comment 3 Kurt Seifried 2012-07-28 06:11:37 UTC
Created openstack-nova tracking bugs for this issue

Affects: fedora-all [bug 844036]

Comment 4 Kurt Seifried 2012-07-28 06:19:56 UTC
Created openstack-nova tracking bugs for this issue

Affects: epel-6 [bug 844040]


Note You need to log in before you can comment on or make changes to this bug.