Bug 960601 (CVE-2015-7548) - VUL-0: CVE-2015-7548: openstack-nova: Nova host data leak through snapshot
Summary: VUL-0: CVE-2015-7548: openstack-nova: Nova host data leak through snapshot
Status: RESOLVED FIXED
Alias: CVE-2015-7548
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Bernhard Wiedemann
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:RedHat:CVE-2015-7548:6.3:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-04 16:23 UTC by Johannes Segitz
Modified: 2018-04-26 14:43 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-01-04 16:23:21 UTC 
Created attachment 660748 [details]
Collection of patches

This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Title: Nova host data leak through snapshot
Reporter: Matthew Booth (Red Hat)
Products: Nova
Versions: <=2015.1.2, ==12.0.0

Description:
Matthew Booth from Red Hat reported a vulnerability in Nova instance
snapshot. By overwriting the disk inside an instance with a malicious
image and requesting a snapshot, an authenticated user would be able to
read an arbitrary file from the compute host. Note that the host file
needs to be readable by the nova user to be exposed except when using
lvm for instance storage, when all files readable by root are exposed.
Only setups using libvirt to spawn instances are vulnerable. Of these,
setups which use filesystem storage, and do not set "use_cow_images =
False" in Nova configuration are not affected. Setups which use ceph or
lvm for instance storage, and setups which use filesystem storage with
"use_cow_images = False" are all affected.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/kilo, stable/liberty and master on the public
disclosure date.

CRD: 2016-01-07 1500 UTC
Comment 1 Swamp Workflow Management 2016-01-04 23:01:01 UTC 
bugbot adjusting priority
Comment 2 Johannes Segitz 2016-01-08 13:37:40 UTC 
public
http://www.openwall.com/lists/oss-security/2016/01/07/6
Comment 3 Benjamin Brunner 2016-01-14 16:30:27 UTC 
We currently have a running update for openstack-nova for the SLE12-compute node which is not in QA yet. Can we already merge the fix to the running update?
Comment 5 Vincent Untz 2016-02-08 16:49:10 UTC 
Bernhard: do you have time to backport the fixes to Juno? Or would you like someone else to do that?
Comment 6 Bernhard Wiedemann 2016-02-23 16:38:08 UTC 
backported 3 patches to stable/juno and added them to Juno:Staging package
Comment 8 Swamp Workflow Management 2016-09-16 16:11:47 UTC 
SUSE-SU-2016:2325-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 929628,960015,960601,967356
CVE References: CVE-2015-3646,CVE-2015-7548
Sources used:
SUSE OpenStack Cloud 5 (src):    openstack-keystone-2014.2.4.juno-17.1, openstack-keystone-doc-2014.2.4.juno-17.2, openstack-nova-2014.2.4.juno-29.1, openstack-nova-doc-2014.2.4.juno-29.1, openstack-swift-2.1.0-14.1, openstack-swift-doc-2.1.0-14.1
Comment 9 Johannes Segitz 2017-08-15 10:53:39 UTC 
fixed in current products