Stanislaw Pitucha from Hewlett Packard reported a vulnerability in the Nova instance rescue mode. By overwriting the disk inside an instance with a malicious image and switching the instance to rescue mode, an authenticated user would be able to leak an arbitrary file from the compute host to the virtual instance. Note that the host file must be readable by the libvirt/kvm context to be exposed. Only setups using libvirt to spawn instance, and having "use_cow_images = False" in Nova configuration are affected.
Created attachment 876204 [details] havana patch
Created attachment 876205 [details] icehouse patch
Havana fix: https://review.openstack.org/#/c/82841/ Icehouse fix: https://review.openstack.org/#/c/82840/ The originally supplied patches are not used; the patches have been changed slightly as can be seen by the review links above.
Acknowledgements: Red Hat would like to thank the OpenStack Project for reporting this issue. Upstream acknowledges Stanislaw Pitucha from Hewlett Packard as the original reporter.
*** Bug 1054989 has been marked as a duplicate of this bug. ***
This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:0578 https://rhn.redhat.com/errata/RHSA-2014-0578.html
Created openstack-nova tracking bugs for this issue: Affects: fedora-all [bug 1119631] Affects: epel-6 [bug 1119632]