Bugzilla – Bug 1207321
VUL-0: CVE-2022-47951: openstack-cinder, openstack-glance, openstack-nova: arbitrary file access through custom VMDK flat descriptor
Last modified: 2024-06-07 07:42:24 UTC
Public in oss-sec: ======================================================================= OSSA-2023-002: Arbitrary file access through custom VMDK flat descriptor ======================================================================== :Date: January 24, 2023 :CVE: CVE-2022-47951 Affects ~~~~~~~ - Cinder, glance, nova: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0; Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0; Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0 Description ~~~~~~~~~~~ Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou (OVH) reported a vulnerability in VMDK image processing for Cinder, Glance and Nova. By supplying a specially created VMDK flat image which references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server resulting in unauthorized access to potentially sensitive data. All Cinder deployments are affected; only Glance deployments with image conversion enabled are affected; all Nova deployments are affected. Patches ~~~~~~~ - https://review.opendev.org/871631 (Train(cinder)) - https://review.opendev.org/871630 (Train(glance)) - https://review.opendev.org/871629 (Ussuri(cinder)) - https://review.opendev.org/871626 (Ussuri(glance)) - https://review.opendev.org/871628 (Victoria(cinder)) - https://review.opendev.org/871623 (Victoria(glance)) - https://review.opendev.org/871627 (Wallaby(cinder)) - https://review.opendev.org/871621 (Wallaby(glance)) - https://review.opendev.org/871625 (Xena(cinder)) - https://review.opendev.org/871619 (Xena(glance)) - https://review.opendev.org/871622 (Xena(nova)) - https://review.opendev.org/871620 (Yoga(cinder)) - https://review.opendev.org/871617 (Yoga(glance)) - https://review.opendev.org/871624 (Yoga(nova)) - https://review.opendev.org/871618 (Zed(cinder)) - https://review.opendev.org/871614 (Zed(glance)) - https://review.opendev.org/871616 (Zed(nova)) - https://review.opendev.org/871615 (2023.1/antelope(cinder)) - https://review.opendev.org/871613 (2023.1/antelope(glance)) - https://review.opendev.org/871612 (2023.1/antelope(nova)) Credits ~~~~~~~ - Guillaume Espanel from OVH (CVE-2022-47951) - Pierre Libeau from OVH (CVE-2022-47951) - Arnaud Morin from OVH (CVE-2022-47951) - Damien Rannou from OVH (CVE-2022-47951) References ~~~~~~~~~~ - https://launchpad.net/bugs/1996188 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47951 Notes ~~~~~ - The stable/wallaby, stable/victoria, stable/ussuri, and stable/train branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy where possible. -- Jeremy Stanley OpenStack Vulnerability Management Team
SUSE-SU-2023:0844-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1207321 CVE References: CVE-2022-47951 Sources used: SUSE OpenStack Cloud 9 (src): venv-openstack-nova-18.3.1~dev92-3.45.1, venv-openstack-manila-7.4.2~dev60-3.43.1, openstack-cinder-13.0.10~dev24-3.37.2, venv-openstack-swift-2.19.2~dev48-2.32.1, venv-openstack-monasca-2.7.1~dev10-3.39.1, venv-openstack-barbican-7.0.1~dev24-3.39.1, openstack-nova-18.3.1~dev92-3.46.1, venv-openstack-octavia-3.2.3~dev7-4.37.1, venv-openstack-neutron-13.0.8~dev209-6.45.1, openstack-glance-17.0.1~dev30-3.6.2, venv-openstack-sahara-9.0.2~dev15-3.37.1, venv-openstack-designate-7.0.2~dev2-3.37.1, venv-openstack-horizon-14.1.1~dev11-4.45.1, venv-openstack-glance-17.0.1~dev30-3.35.1, python-oslo.utils-3.36.5-3.6.1, venv-openstack-cinder-13.0.10~dev24-3.40.1, venv-openstack-keystone-14.2.1~dev9-3.38.1, venv-openstack-magnum-7.2.1~dev1-4.37.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.37.1, openstack-neutron-gbp-14.0.1~dev58-3.40.1, venv-openstack-ironic-11.1.5~dev18-4.35.1, venv-openstack-heat-11.0.4~dev4-3.39.1 SUSE OpenStack Cloud Crowbar 9 (src): openstack-nova-18.3.1~dev92-3.46.1, python-oslo.utils-3.36.5-3.6.1, openstack-cinder-13.0.10~dev24-3.37.2, openstack-neutron-gbp-14.0.1~dev58-3.40.1, openstack-glance-17.0.1~dev30-3.6.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1949-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1207321 CVE References: CVE-2022-47951 Sources used: HPE Helion OpenStack 8 (src): venv-openstack-trove-8.0.2~dev2-11.42.1, venv-openstack-ceilometer-9.0.8~dev7-12.40.1, venv-openstack-heat-9.0.8~dev22-12.47.1, venv-openstack-neutron-11.0.9~dev69-13.48.1, python-oslo.utils-3.28.4-3.9.1, openstack-nova-16.1.9~dev92-3.51.2, venv-openstack-sahara-7.0.5~dev4-11.42.1, openstack-cinder-doc-11.2.3~dev29-3.31.1, venv-openstack-barbican-5.0.2~dev3-12.45.1, venv-openstack-murano-4.0.2~dev3-12.40.1, venv-openstack-monasca-2.2.2~dev1-11.47.1, venv-openstack-keystone-12.0.4~dev11-11.47.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.50.1, venv-openstack-cinder-11.2.3~dev29-14.44.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.33.1, venv-openstack-nova-16.1.9~dev92-11.46.1, venv-openstack-designate-5.0.3~dev7-12.41.1, venv-openstack-ironic-9.1.8~dev8-12.43.1, openstack-nova-doc-16.1.9~dev92-3.51.1, venv-openstack-octavia-1.0.6~dev3-12.43.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.38.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.38.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.42.1, venv-openstack-glance-15.0.3~dev3-12.41.1, venv-openstack-manila-5.1.1~dev5-12.47.1, openstack-cinder-11.2.3~dev29-3.31.2, venv-openstack-aodh-5.1.1~dev7-12.42.1 SUSE OpenStack Cloud 8 (src): venv-openstack-trove-8.0.2~dev2-11.42.1, venv-openstack-ceilometer-9.0.8~dev7-12.40.1, venv-openstack-heat-9.0.8~dev22-12.47.1, venv-openstack-neutron-11.0.9~dev69-13.48.1, python-oslo.utils-3.28.4-3.9.1, openstack-nova-16.1.9~dev92-3.51.2, venv-openstack-sahara-7.0.5~dev4-11.42.1, openstack-cinder-doc-11.2.3~dev29-3.31.1, venv-openstack-barbican-5.0.2~dev3-12.45.1, venv-openstack-murano-4.0.2~dev3-12.40.1, venv-openstack-monasca-2.2.2~dev1-11.47.1, venv-openstack-keystone-12.0.4~dev11-11.47.1, venv-openstack-cinder-11.2.3~dev29-14.44.1, venv-openstack-horizon-12.0.5~dev6-14.50.2, venv-openstack-nova-16.1.9~dev92-11.46.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.33.1, venv-openstack-designate-5.0.3~dev7-12.41.1, venv-openstack-ironic-9.1.8~dev8-12.43.1, openstack-nova-doc-16.1.9~dev92-3.51.1, venv-openstack-octavia-1.0.6~dev3-12.43.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.38.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.38.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.42.1, venv-openstack-glance-15.0.3~dev3-12.41.1, venv-openstack-manila-5.1.1~dev5-12.47.1, openstack-cinder-11.2.3~dev29-3.31.2, venv-openstack-aodh-5.1.1~dev7-12.42.1 SUSE OpenStack Cloud Crowbar 8 (src): python-oslo.utils-3.28.4-3.9.1, openstack-nova-doc-16.1.9~dev92-3.51.1, openstack-nova-16.1.9~dev92-3.51.2, openstack-cinder-11.2.3~dev29-3.31.2, openstack-cinder-doc-11.2.3~dev29-3.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.