Bugzilla – Bug 869078
VUL-0: CVE-2014-0134: openstack-nova: Nova host data leak to vm instance in rescue mode.
Last modified: 2014-05-21 09:03:58 UTC
via distros, embargoed, until crd 2014-03-25 15:00 UTC This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Title: Nova host data leak to vm instance in rescue mode. Reporter: Stanislaw Pitucha (HP) Products: Nova Versions: 2013.2 versions up to 2013.2.2 Description: Stanislaw Pitucha from Hewlett Packard reported a vulnerability in the Nova instance rescue mode. By overwriting the disk inside an instance with a malicious image and switching the instance to rescue mode, an authenticated user would be able to leak an arbitrary file from the compute host to the virtual instance. Note that the host file must be readable by the libvirt/kvm context to be exposed. Only setups using libvirt to spawn instance, and having "use_cow_images = False" in Nova configuration are affected. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to stable/havana and master (Icehouse development branch) on the public disclosure date. CVE: CVE-2014-0134 Proposed public disclosure date/time: 2014-03-25 15:00 UTC Please do not make the issue public (or release public patches) before this coordinated embargo date. Regards, -- Tristan Cacqueray OpenStack Vulnerability Management Team
Created attachment 582743 [details] cve-2014-0134-master-icehouse.patch patch attached
Created attachment 582746 [details] cve-2014-0134-stable-havana.patch patch for havana that was attached
Affected packages: SLE-11-SP3-PRODUCTS: openstack-nova SLE-11-SP2: SLE-11-SP3: openstack-nova SLE-11-SP2-PRODUCTS:
bugbot adjusting priority
is public
This is a follow up to the pre-OSSA for CVE-2014-0134. The attached patches changed slightly, if anyone based fixes off them they should review the updated version there: Icehouse (development branch) fix: https://review.openstack.org/82840 Havana fix: https://review.openstack.org/82841 We apologize for the inconvenience. Tristan Cacqueray OpenStack Vulnerability Management Team
Update released for: crowbar, crowbar-barclamp-ceilometer, crowbar-barclamp-ceph, crowbar-barclamp-cinder, crowbar-barclamp-crowbar, crowbar-barclamp-crowbar-devel, crowbar-barclamp-database, crowbar-barclamp-deployer, crowbar-barclamp-dns, crowbar-barclamp-glance, crowbar-barclamp-heat, crowbar-barclamp-ipmi, crowbar-barclamp-keystone, crowbar-barclamp-logging, crowbar-barclamp-network, crowbar-barclamp-neutron, crowbar-barclamp-nfs_client, crowbar-barclamp-nova, crowbar-barclamp-nova_dashboard, crowbar-barclamp-ntp, crowbar-barclamp-pacemaker, crowbar-barclamp-provisioner, crowbar-barclamp-rabbitmq, crowbar-barclamp-suse-manager-client, crowbar-barclamp-swift, crowbar-barclamp-updater, crowbar-devel, haproxy, haproxy-debuginfo, haproxy-debugsource, mongodb, mongodb-devel, openstack-ceilometer, openstack-ceilometer-agent-central, openstack-ceilometer-agent-compute, openstack-ceilometer-alarm-evaluator, openstack-ceilometer-alarm-notifier, openstack-ceilometer-api, openstack-ceilometer-collector, openstack-ceilometer-doc, openstack-ceilometer-test, openstack-dashboard, openstack-dashboard-branding-upstream, openstack-dashboard-test, openstack-keystone, openstack-keystone-doc, openstack-keystone-test, openstack-neutron, openstack-neutron-dhcp-agent, openstack-neutron-doc, openstack-neutron-ha-tool, openstack-neutron-hyperv-agent, openstack-neutron-l3-agent, openstack-neutron-lbaas-agent, openstack-neutron-linuxbridge-agent, openstack-neutron-metadata-agent, openstack-neutron-metering-agent, openstack-neutron-mlnx-agent, openstack-neutron-nec-agent, openstack-neutron-openvswitch-agent, openstack-neutron-plugin-cisco, openstack-neutron-ryu-agent, openstack-neutron-server, openstack-neutron-test, openstack-neutron-vmware-agent, openstack-neutron-vpn-agent, openstack-nova, openstack-nova-api, openstack-nova-cells, openstack-nova-cert, openstack-nova-compute, openstack-nova-conductor, openstack-nova-console, openstack-nova-consoleauth, openstack-nova-doc, openstack-nova-network, openstack-nova-novncproxy, openstack-nova-objectstore, openstack-nova-scheduler, openstack-nova-test, openstack-nova-vncproxy, openstack-resource-agents, openstack-suse, openstack-suse-macros, openstack-suse-sudo, openstack-xen-plugins, patterns-cloud, python-amqp, python-ceilometer, python-heatclient, python-heatclient-doc, python-heatclient-test, python-horizon, python-horizon-branding-upstream, python-keystone, python-neutron, python-neutronclient, python-neutronclient-test, python-nova, python-psycopg2, python-psycopg2-debuginfo, python-psycopg2-debugsource, python-psycopg2-doc, rubygem-bson-1_9, rubygem-bson-1_9-doc, rubygem-mongo, rubygem-mongo-doc, rubygem-mongo-testsuite, susecloud-admin_en-pdf, susecloud-deployment_en-pdf, susecloud-manuals_en, susecloud-user_en-pdf, yast2-crowbar Products: SUSE-CLOUD 3.0 (x86_64)
SUSE-RU-2014:0656-1: An update that solves 5 vulnerabilities and has 15 fixes is now available. Category: recommended (low) Bug References: 840255,847189,861551,863719,865733,869078,869570,870175,870898,871199,871855,872116,872361,872700,872915,873127,874171,874611,874755,876326 CVE References: CVE-2014-0056,CVE-2014-0134,CVE-2014-0157,CVE-2014-0167,CVE-2014-2828 Sources used: SUSE Cloud 3 (src): crowbar-1.7+git.1393415366.c7d7ed2-0.9.1, crowbar-barclamp-ceilometer-1.7+git.1397725532.6562e99-0.11.1, crowbar-barclamp-ceph-1.7+git.1394531703.94bc662-0.7.4, crowbar-barclamp-cinder-1.7+git.1397563537.c0e3c1f-0.7.4, crowbar-barclamp-crowbar-1.7+git.1397546986.0138729-0.7.5, crowbar-barclamp-database-1.7+git.1398437917.4d9d949-0.7.4, crowbar-barclamp-deployer-1.7+git.1395841488.9bd9b18-0.7.4, crowbar-barclamp-dns-1.7+git.1395139533.d8065e0-0.7.4, crowbar-barclamp-glance-1.7+git.1397563542.7f7adbd-0.7.4, crowbar-barclamp-heat-1.7+git.1397563528.5365573-0.7.4, crowbar-barclamp-ipmi-1.7+git.1394447661.823417e-0.7.4, crowbar-barclamp-keystone-1.7+git.1397563548.5e1f6f4-0.7.4, crowbar-barclamp-logging-1.7+git.1394447795.1352678-0.7.4, crowbar-barclamp-network-1.7+git.1397462393.b75b4a2-0.7.4, crowbar-barclamp-neutron-1.7+git.1399280715.7a6d30c-0.7.1, crowbar-barclamp-nfs_client-1.7+git.1394448673.eec60d0-0.7.4, crowbar-barclamp-nova-1.7+git.1397563532.b0a2cf3-0.7.4, crowbar-barclamp-nova_dashboard-1.7+git.1397195786.72f875c-0.7.4, crowbar-barclamp-ntp-1.7+git.1394526594.bd0925a-0.7.4, crowbar-barclamp-pacemaker-1.7+git.1399292086.c9d262e-0.7.1, crowbar-barclamp-provisioner-1.7+git.1398437839.2078a3c-0.7.1, crowbar-barclamp-rabbitmq-1.7+git.1398437927.2b9a534-0.7.4, crowbar-barclamp-suse-manager-client-1.7+git.1394449068.c91f840-0.7.4, crowbar-barclamp-swift-1.7+git.1398348658.e9aadc4-0.7.4, crowbar-barclamp-updater-1.7+git.1394449074.c15a84e-0.7.4, haproxy-1.4.24-0.9.2, mongodb-2.4.3-0.13.1, openstack-ceilometer-2013.2.4.dev3.gd7b0634-0.9.1, openstack-ceilometer-doc-2013.2.4.dev3.gd7b0634-0.9.1, openstack-dashboard-2013.2.3.dev1.g54ec015-0.7.3, openstack-keystone-2013.2.4.dev2.ge7c2987-0.7.3, openstack-keystone-doc-2013.2.4.dev2.ge7c2987-0.7.3, openstack-neutron-2013.2.3.dev38.g1b9ceaf-0.7.3, openstack-neutron-doc-2013.2.3.dev38.g1b9ceaf-0.7.3, openstack-nova-2013.2.4.dev10.g155262c-0.7.3, openstack-nova-doc-2013.2.4.dev10.g155262c-0.7.3, openstack-resource-agents-1.0+git.1392632006.9b9b934-0.7.2, openstack-suse-2013.2-0.11.2, patterns-cloud-20140224-0.21.2, python-amqp-1.2.0-0.9.1, python-heatclient-0.2.6-0.7.2, python-neutronclient-2.3.4-0.7.3, python-psycopg2-2.5.2-0.7.2, rubygem-bson-1_9-1.9.2-0.7.2, rubygem-mongo-1.9.2-0.7.2, susecloud-manuals_en-3.0-0.34.1, yast2-crowbar-2.17.35-0.7.2
cloud 3 released -> done