Nova libvirt driver live migration should sanitize target host
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Karen Noel | ||
OpenStack Security Advisory |
Invalid
|
Undecided
|
Grant Murphy |
Bug Description
In nova, an administrator can specify the target host for a libvirt live migrate action.
This host is formatted into a base string (default=
https:/
and then passed directly to libvirt as a target URI:
https:/
dom.migrateToUR
The host does not appear to be validated, stripped, or otherwise checked to make sure that the value is reasonable. This allows an admin to attempt to migrate an instance out of a cloud (which may or may not be a security issue). Much more importantly, libvirt's URI format accepts many parameters in this URI, some of which allow execution of arbitrary commands at the same privilege level as libvirt.
http://
Due to later checks it does not appear to be exploitable, but it should nevertheless be fixed to avoid future issues.
description: | updated |
description: | updated |
Changed in ossa: | |
status: | New → Confirmed |
summary: |
- Libvirt live migration host allows command injection + Libvirt live migration host allows command injection (CVE-2014-0070) |
Changed in ossa: | |
status: | Confirmed → In Progress |
assignee: | nobody → Grant Murphy (gmurphy) |
Changed in nova: | |
status: | Confirmed → Incomplete |
Changed in ossa: | |
importance: | Critical → Undecided |
status: | In Progress → Incomplete |
summary: |
Nova libvirt driver live migration allows command injection - (CVE-2014-0070) |
summary: |
- Nova libvirt driver live migration allows command injection + Nova libvirt driver live migration should sanitize target host |
description: | updated |
Changed in ossa: | |
status: | Incomplete → Invalid |
no longer affects: | nova/havana |
no longer affects: | nova/grizzly |
Changed in nova: | |
milestone: | icehouse-3 → none |
importance: | Critical → Medium |
status: | Incomplete → Confirmed |
information type: | Private Security → Public |
Changed in nova: | |
milestone: | none → juno-3 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | juno-3 → 2014.2 |
Ouch.
Paul - Just to be clear for the remote code execution the % dest is a user controlled parameter?