Openstack Security Advisory: OSSA-2023-003: Unauthorized volume access through deleted volume attachments

Bug #2020373 reported by Thales Elero Cervi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Thales Elero Cervi

Bug Description

Brief Description
-----------------
There is a new Openstack Security Advisory: https://security.openstack.org/ossa/OSSA-2023-003.html

It needs to be evaluated after the OpenStack services upversion to Antelope: https://storyboard.openstack.org/#!/story/2010715

In case this is still a security issue, we should port the solution.

Severity
--------
Medium: Security Issue

Steps to Reproduce
------------------
N/A

Expected Behavior
------------------
N/A

Actual Behavior
----------------
N/A

Reproducibility
---------------
Reproducible

System Configuration
--------------------
N/A

Branch/Pull Time/Commit
-----------------------
stx main branch

Last Pass
---------
N/A

Timestamp/Logs
--------------
N/A

Test Activity
-------------
Security vulnerabilities review

Workaround
----------
None

Revision history for this message
Thales Elero Cervi (tcervi) wrote :

Next StarlingX relese (stx.9.0) will deliver an stx-openstack application with OpenStack Antelope based images generated on top of the `stable/2023.1` branch and all affected services have a fix for this on this branch (note that we don't build glance_store or os-brick images):

    Cinder: https://review.opendev.org/c/openstack/cinder/+/882836
    Nova: https://review.opendev.org/c/openstack/cinder/+/882836
    Glance store: https://review.opendev.org/c/openstack/glance_store/+/882851
    OS Brick: https://review.opendev.org/c/openstack/os-brick/+/882843

tags: added: stx.9.0 stx.distro.openstack stx.security
Revision history for this message
Thales Elero Cervi (tcervi) wrote :
Changed in starlingx:
assignee: nobody → Thales Elero Cervi (tcervi)
status: New → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.