StarlingX

Openstack Security Advisory: OSSA-2023-002: Arbitrary file access through custom VMDK flat descriptor

Bug #2006135 reported by Michel Thebeau [WIND] on 2023-02-06

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	Thales Elero Cervi

Bug Description

Brief Description
-----------------
There is a new Openstack Security Advisory: https://security.openstack.org/ossa/OSSA-2023-002.html for Glance, Nova and Cinder. The advisory lists patches for Glance and Cinder back to Train, and patches for Nova back to Xena.

It is not confirmed that Starlingx is impacted.

Severity
--------
Medium: Security Issue

Steps to Reproduce
------------------
N/A

Expected Behavior
------------------
N/A

Actual Behavior
----------------
N/A

Reproducibility
---------------
Reproducible

System Configuration
--------------------
N/A

Branch/Pull Time/Commit
-----------------------
stx main branch

Last Pass
---------
N/A

Timestamp/Logs
--------------
N/A

Test Activity
-------------
Security vulnerabilities review

Workaround
----------
None

Tags:

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2023-02-21:

Assigning to Thales for review by the stx-openstack team

tags:	added: stx.distro.openstack stx.security
information type:	Private Security → Public Security
Changed in starlingx:
assignee:	nobody → Thales Elero Cervi (tcervi)

Revision history for this message

Thales Elero Cervi (tcervi) wrote on 2023-09-13:

Next StarlingX relese (stx.9.0) will deliver an stx-opesntack application with OpenStack Antelope based images generated on top of the `stable/2023.1` branch and all affected services have a fix for this on this branch:

* Cinder: https://opendev.org/openstack/cinder/commit/1186f5d9f4ef7a0aa8bf6d865c1f42843fe91eaa
Code can be found on `stable/2023.1` branch: https://opendev.org/openstack/cinder/src/branch/stable/2023.1/cinder/image/image_utils.py#L83