[OSSA 2016-001] Unprivileged api user can access host data using instance snapshot (CVE-2015-7548)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
New
|
High
|
MOS Nova | ||
7.0.x |
New
|
High
|
MOS Maintenance |
Bug Description
Problem description:
There is a qcow2 format vulnerability in Nova's LibvirtDriver.
LibvirtDriver.
source_format = libvirt_
...
snapshot_
disk_path,
...
snapshot_
libvirt_
The vulnerability only exists when a user can write to a raw volume which is later erroneously detected as qcow2. This means that the vulnerability is only present on systems using the libvirt driver which have defined use_cow_
Affected versions:
MOS 7.0, upcoming 8.0 (probably)
Upstream bug report:
https:/
Solution proposal:
Merge upstream patches into MOS maintenance updates.
- https:/
- https:/
- https:/
- https:/
- https:/
- https:/
CVE References
Changed in mos: | |
importance: | Undecided → High |
milestone: | none → 8.0 |
assignee: | nobody → MOS Nova (mos-nova) |