Mirantis OpenStack

[OSSA 2016-001] Nova host data leak through snapshot

Bug #1530927 reported by Roman Podoliaka
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
High
MOS Nova
Mirantis OpenStack 8.0
5.1.x
Fix Released
High
Alexey Stupnikov
Mirantis OpenStack 5.1.1-updates
6.0.x
Fix Released
High
Alexey Stupnikov
Mirantis OpenStack 6.0-mu-8
6.1.x
Fix Released
High
Alexey Stupnikov
Mirantis OpenStack 6.1-mu-5
7.0.x
Fix Released
High
Alexey Stupnikov
Mirantis OpenStack 7.0-mu-3
8.0.x
Fix Released
High
MOS Nova
Mirantis OpenStack 8.0
9.x
Fix Released
High
MOS Nova
Mirantis OpenStack 9.0

Bug Description

Upstream bug: https://launchpad.net/bugs/1524274

By overwriting the disk inside an instance with a malicious
image and requesting a snapshot, an authenticated user would be able to
read an arbitrary file from the compute host. Note that the host file
needs to be readable by the nova user to be exposed except when using
lvm for instance storage, when all files readable by root are exposed.
Only setups using libvirt to spawn instances are vulnerable. Of these,
setups which use filesystem storage, and do not set "use_cow_images =
False" in Nova configuration are not affected. Setups which use ceph or
lvm for instance storage, and setups which use filesystem storage with
"use_cow_images = False" are all affected.

CVE-2015-7548

See original description
Tags: area-nova

CVE References

Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :
Roman Podoliaka (rpodolyaka)
summary: - Nova host data leak through snapshot
+ [OSSA 2016-001] Nova host data leak through snapshot
Roman Podoliaka (rpodolyaka)
description: updated
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :

Fixed in Mitaka:

https://review.openstack.org/#/q/topic:bug/1524274

Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :

Fixed in https://review.fuel-infra.org/#/c/16136/ for 8.0

Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

Fix proposed for 7.0:
https://review.fuel-infra.org/#/q/status:open+project:openstack/nova+branch:openstack-ci/fuel-7.0/2015.1.0+topic:bug/1530927

Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

Fix proposed for 6.1:
https://review.fuel-infra.org/#/q/status:open+project:openstack/nova+branch:openstack-ci/fuel-6.1/2014.2+topic:bug/1530927

Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

Fix proposed for 6.0:
https://review.fuel-infra.org/#/q/status:open+project:openstack/nova+branch:openstack-ci/fuel-6.0-updates/2014.2+topic:bug/1530927

Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

Fix proposed for 5.1:
https://review.fuel-infra.org/#/q/status:open+project:openstack/nova+branch:openstack-ci/fuel-5.1-updates/2014.1.1+topic:bug/1530927

Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

Python tests will not be fixed for mos 6.0 according to bug #1544852.

Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

Verified for MOS 7.0 for packages from http://perestroika-repo-tst.infra.mirantis.net/review/LP-1530927/mos-repos/ubuntu/7.0/

Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

Verified for MOS 6.1. Packages are taken from http://osci-obs.vm.mirantis.net:82//centos-fuel-6.1-stable-updates-LP1530927/centos/

Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

Verified for MOS 5.1.1. Packages are taken from http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.1-updates-stable-16895/ubuntu/

Anna Babich (ababich)
tags: added: on-verification
Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

Verified for MOS 6.0. Packages are taken from http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-updates-stable/centos/

Revision history for this message
Anna Babich (ababich) wrote :

Verified on:
VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "8.0"
  api: "1.0"
  build_number: "512"
  build_id: "512"
  fuel-nailgun_sha: "19fb6afdafcc17f87922e10e4cc90689c087d49c"
  python-fuelclient_sha: "4f234669cfe88a9406f4e438b1e1f74f1ef484a5"
  fuel-agent_sha: "658be72c4b42d3e1436b86ac4567ab914bfb451b"
  fuel-nailgun-agent_sha: "b2bb466fd5bd92da614cdbd819d6999c510ebfb1"
  astute_sha: "b81577a5b7857c4be8748492bae1dec2fa89b446"
  fuel-library_sha: "af8b5f7b3d1e231d0b04de5e79dd60b5b35d5ad7"
  fuel-ostf_sha: "5fe41945c2a49f26c849df1fd46329f6db1ab6b0"
  fuel-mirror_sha: "1e93fe1794b988677ff0942788bd48b61a89d307"
  fuelmenu_sha: "234cb4cbb30fbd2df00f388c28f31606d9cae15f"
  shotgun_sha: "63645dea384a37dde5c01d4f8905566978e5d906"
  network-checker_sha: "a43cf96cd9532f10794dce736350bf5bed350e9d"
  fuel-upgrade_sha: "616a7490ec7199f69759e97e42f9b97dfc87e85b"
  fuelmain_sha: "94507c5e4dad6d8cfbd8f5d41aa8389d5335990a"

Steps for reproducing have been taken from upstream bug's description (https://bugs.launchpad.net/nova/+bug/1524274).
Mounting the downloaded passwd image and analyzing the contents of /etc/passwd on it has shown that this file didn't contain information from /etc/passwd file of compute node

tags: removed: on-verification
Vitaly Sedelnik (vsedelnik)
information type: Private Security → Public Security
Anna Babich (ababich)
tags: added: on-verification
Revision history for this message
Anna Babich (ababich) wrote :

Verified on: (env with Cinder LVM)
[root@nailgun ~]# shotgun2 short-report
cat /etc/fuel_build_id:
 128
cat /etc/fuel_build_number:
 128
cat /etc/fuel_release:
 9.0
cat /etc/fuel_openstack_version:
 liberty-9.0
rpm -qa | egrep 'fuel|astute|network-checker|nailgun|packetary|shotgun':
 fuel-release-9.0.0-1.mos6318.noarch
 rubygem-astute-9.0.0-1.mos730.noarch
 fuel-library9.0-9.0.0-1.mos8207.noarch
 fuelmenu-9.0.0-1.mos263.noarch
 fuel-agent-9.0.0-1.mos269.noarch
 fuel-ui-9.0.0-1.mos2624.noarch
 fuel-migrate-9.0.0-1.mos8207.noarch
 nailgun-mcagents-9.0.0-1.mos730.noarch
 fuel-misc-9.0.0-1.mos8207.noarch
 shotgun-9.0.0-1.mos85.noarch
 python-packetary-9.0.0-1.mos128.noarch
 fuel-bootstrap-cli-9.0.0-1.mos269.noarch
 fuel-provisioning-scripts-9.0.0-1.mos8588.noarch
 fuel-mirror-9.0.0-1.mos128.noarch
 fuel-openstack-metadata-9.0.0-1.mos8588.noarch
 fuel-notify-9.0.0-1.mos8207.noarch
 fuel-setup-9.0.0-1.mos6318.noarch
 python-fuelclient-9.0.0-1.mos297.noarch
 network-checker-9.0.0-1.mos72.x86_64
 fuel-9.0.0-1.mos6318.noarch
 fuel-utils-9.0.0-1.mos8207.noarch
 fuel-nailgun-9.0.0-1.mos8588.noarch
 fuel-ostf-9.0.0-1.mos919.noarch
[root@nailgun ~]#

tags: removed: on-verification
Ekaterina Shutova (eshutova)
tags: added: on-verification
Revision history for this message
Ekaterina Shutova (eshutova) wrote :

Verified on MOS 7.0 + MU3.

Steps for reproduction are specified in upstream bug. The downloaded image doesn't contain information from /etc/passwd file of compute node.

tags: removed: on-verification
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.