Title: Host file disclosure through qcow2 backing file Reporter: Bastian Blank (credativ) Products: Cinder and Nova Affects: up to 2014.1.4 and 2014.2 versions through 2014.2.2 Description: Bastian Blank from credativ reported a vulnerability in Cinder and Nova. By overwriting an image with a malicious qcow2 header, an authenticated user may mislead Cinder upload-to-image action, resulting in disclosure of any file from the Cinder server. A similar vulnerability in Nova can also be used by an authenticated user to trick Nova during a snapshot upload, resulting in disclosure of any file for which the Nova process user has access to. All Cinder and Nova setups are affected. Upstream bug: https://bugs.launchpad.net/cinder/+bug/1415087 Suggested patches can be found here: https://bugs.launchpad.net/cinder/+bug/1415087/+attachment/4362440/+files/0001-Disallow-backing-files-when-uploading-volumes-to-ima.patch https://bugs.launchpad.net/cinder/+bug/1415087/+attachment/4340460/+files/0001-Require-source-image-format-for-convert_image-calls.patch
Created openstack-nova tracking bugs for this issue: Affects: fedora-all [bug 1231819] Affects: openstack-rdo [bug 1231820]
Statement: Red Hat Product Security has rated this issue as having Low security impact in all supported versions of Red Hat Enterprise Linux OpenStack Platform. While this issue is present, we do not believe the code path is currently reachable in an attacker exploitable fashion. A future update may address this flaw.