Bugzilla – Bug 858509
VUL-0: CVE-2013-7048: openstack-nova: Nova live snapshots use an insecure local directory
Last modified: 2014-10-01 07:33:16 UTC
OpenStack Security Advisory: 2014-001 CVE: CVE-2013-7048 Date: January 13, 2013 Title: Nova live snapshots use an insecure local directory Reporter: Daniel Berrange (Red Hat) Products: Nova Affects: Grizzly and later Description: Daniel Berrange from Red Hat reported that the directories used to temporarily store live snapshots on Nova compute nodes were writable to all local users. A local attacker with shell access on compute nodes could therefore read and modify the contents of live snapshots before those are uploaded to the image service. Icehouse (development branch) fix: https://review.openstack.org/#/c/58852/ Havana fix: https://review.openstack.org/#/c/60548/ Grizzly fix: https://review.openstack.org/#/c/60550/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7048 https://bugs.launchpad.net/nova/+bug/1227027 Regards, -- Thierry Carrez OpenStack Vulnerability Management Team
bugbot adjusting priority
Sascha: since you're going to update nova for bug 855335, can you also do this at the same time?
still an issue?
(In reply to Marcus Meissner from comment #5) > still an issue? I don't think so. Cloud 3 and Cloud 4 are not affected (they got the fix before their release). And according to the SR (https://build.suse.de/request/show/35536) there is no plan to release more updates for Cloud 2.