OpenStack Security Advisory: 2014-003 CVE: CVE-2013-7130 Date: January 23, 2014 Title: Live migration can leak root disk into ephemeral storage Reporter: Loganathan Parthipan (HP) Products: Nova Affects: All supported versions Description: Loganathan Parthipan from Hewlett Packard reported a vulnerability in the Nova libvirt driver. By spawning a server with the same flavor as another user's migrated virtual machine, an authenticated user can potentially access that user's snapshot content resulting in information leakage. Only setups using KVM live block migration are affected. Icehouse (development branch) fix: https://review.openstack.org/#/c/68658/ Havana (development branch) fix: https://review.openstack.org/#/c/68659/ Grizzly fix: https://review.openstack.org/#/c/68660/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7130 https://bugs.launchpad.net/nova/+bug/1251590 -- Grant Murphy OpenStack Vulnerability Management Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: This is a digitally signed message part URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140124/1e424a3e/attachment.pgp>