Comment 16 for bug 1350504
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote Re: GlusterFS driver uses unsafe qcow2 format detection | #16 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Thanks for the additional details!
Here is impact description draft #2:
Title: Cinder-volume host data leak to vm instance
Reporter: Duncan Thomas (HP)
Products: Cinder
Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2
Description:
Duncan Thomas from Hewlett Packard reported a vulnerability in Cinder GlusterFS driver. By overwriting a volume from within an instance with a malicious qcow2 header, an authenticated user may be able to clone and attach that corrupted volume resulting in GlusterFS driver leaking an arbitrary file from the Cinder-volume host to the virtual instance. Note that the host file must be readable by the Cinder context to be exposed. Only Cinder setups using GlusterFS volume driver configured with glusterfs_