Revision: d60705f66916
Author: helgav <[email protected]>
Date: Tue Aug 12 13:30:35 2014 UTC
Log: Edited wiki page SecurityAdvisories through web user interface.
http://code.google.com/p/ganeti/source/detail?r=d60705f66916&repo=wiki
Modified:
/SecurityAdvisories.wiki
=======================================
--- /SecurityAdvisories.wiki Tue Aug 12 08:59:07 2014 UTC
+++ /SecurityAdvisories.wiki Tue Aug 12 13:30:35 2014 UTC
@@ -2,10 +2,11 @@
= Ganeti Config Archive Vulnerability =
+Published 2014-08-12
Ganeti, an open source virtualisation manager, suffered from an insecure
file permission vulnerability that leads to sensitive information
disclosure. This issue was fixed with versions 2.10.7 and 2.11.5.
-The Ganeti upgrade command 'gnt-cluster upgrade' creates an archive of the
current configuration of the cluster (e.g. the contents of
`/var/lib/ganeti`). The archive is named following the pattern `ganet*.tar`
and is written to `/var/lib/`. Such archives were written with too lax
permissions that made it possible to read them as unprivileged user, on the
master node.
+The Ganeti upgrade command 'gnt-cluster upgrade' creates an archive of the
current configuration of the cluster (e.g. the contents of
`/var/lib/ganeti`). The archive is named following the pattern
`ganeti*.tar` and is written to `/var/lib/`. Such archives were written
with too lax permissions that made it possible to read them as unprivileged
user, on the master node.
The configuration archive contains sensitive information, including SSL
keys for the inter-node communication via RPC as well as the credentials
for the remote API (RAPI). Such information can be used to control various
operations of the cluster, including shutting down and removing instances
and nodes from the cluster, or assuming the identity of the cluster in a
MITM attack.
--
---
You received this message because you are subscribed to the Google Groups "ganeti-commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
