Bug 899198 (CVE-2014-3641) - VUL-0: CVE-2014-3641: openstack-cinder: Cinder-volume host data leak to vm instance
Summary: VUL-0: CVE-2014-3641: openstack-cinder: Cinder-volume host data leak to vm in...
Status: RESOLVED FIXED
Alias: CVE-2014-3641
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Bernhard Wiedemann
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:59124:low maint:releas...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-30 15:10 UTC by Marcus Meissner
Modified: 2015-03-05 08:02 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
cve-2014-3641-master-juno.patch (13.21 KB, patch)
2014-09-30 15:10 UTC, Marcus Meissner 		Details | Diff
cve-2014-3641-stable-icehouse.patch (9.85 KB, patch)
2014-09-30 15:11 UTC, Marcus Meissner 		Details | Diff
cve-2014-3641-master-juno-windows-smbfs.patch (1.37 KB, patch)
2014-10-01 09:24 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-30 15:10:19 UTC 
via direct contact, embargoed until Oct 2nd 2014, 1500UTC


This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Title: Cinder-volume host data leak to vm instance
Reporter: Duncan Thomas (HP)
Products: Cinder
Versions: up to 2014.1.2

Description:
Duncan Thomas from Hewlett Packard reported a vulnerability in Cinder
GlusterFS and Linux Smbfs driver. By overwriting a volume from within an
instance with a malicious qcow2 header, an authenticated user may be
able to clone and attach that corrupted volume resulting in affected
drivers leaking an arbitrary file from the Cinder-volume host to the
virtual instance. Note that the host file must be readable by the Cinder
context to be exposed. Only Cinder setups using GlusterFS volume driver
configured with glusterfs_qcow2_volumes=False (which is the default) or
Cinder setups using Smbfs volume driver configured with
smbfs_default_volume_format=raw (which is not the default) are affected.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/icehouse and master (Juno Development branch)
on the public disclosure date.

CVE: CVE-2014-3641

Proposed public disclosure date/time:
2014-10-02, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.

Regards,

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team
Comment 1 Marcus Meissner 2014-09-30 15:10:47 UTC 
Created attachment 608540 [details]
cve-2014-3641-master-juno.patch

cve-2014-3641-master-juno.patch
Comment 2 Marcus Meissner 2014-09-30 15:11:14 UTC 
Created attachment 608541 [details]
cve-2014-3641-stable-icehouse.patch

cve-2014-3641-stable-icehouse.patch
Comment 3 SMASH SMASH 2014-10-01 06:50:11 UTC 
Affected packages:

SLE-11-SP3-CL4: openstack-cinder
SLE-11-SP3-UPTU: openstack-cinder
Comment 4 Marcus Meissner 2014-10-01 09:24:36 UTC 
Created attachment 608636 [details]
cve-2014-3641-master-juno-windows-smbfs.patch

received an incremental patch that makes smbfs work again
Comment 5 Swamp Workflow Management 2014-10-01 12:08:06 UTC 
bugbot adjusting priority
Comment 8 Swamp Workflow Management 2014-11-20 18:06:01 UTC 
SUSE-SU-2014:1467-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (low)
Bug References: 883950,894055,897815,899190,899198
CVE References: CVE-2014-3641,CVE-2014-7230,CVE-2014-7231
Sources used:
SUSE Cloud 4 (src):    openstack-cinder-2014.1.4.dev19.g80c0054-0.7.1, openstack-cinder-doc-2014.1.4.dev19.g80c0054-0.7.1
Comment 10 Marcus Meissner 2015-03-05 08:02:41 UTC 
clpoud 4 fixed, cloud 5 hoepfully too.