OpenStack Security Advisory: 2014-001 CVE: CVE-2013-7048 Date: January 13, 2013 Title: Nova live snapshots use an insecure local directory Reporter: Daniel Berrange (Red Hat) Products: Nova Affects: Grizzly and later Description: Daniel Berrange from Red Hat reported that the directories used to temporarily store live snapshots on Nova compute nodes were writable to all local users. A local attacker with shell access on compute nodes could therefore read and modify the contents of live snapshots before those are uploaded to the image service. Icehouse (development branch) fix: https://review.openstack.org/#/c/58852/ Havana fix: https://review.openstack.org/#/c/60548/ Grizzly fix: https://review.openstack.org/#/c/60550/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7048 https://bugs.launchpad.net/nova/+bug/1227027 Regards, -- Thierry Carrez OpenStack Vulnerability Management Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140113/ed3be846/attachment.pgp>