[Openstack-security] [OSSN] Draft: Nova Baremetal Exposes Previous Tenant Data
Kurt Seifried
kseifried at redhat.com
Tue Jul 2 18:53:34 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/02/2013 12:24 PM, Jeremy Stanley wrote:
> On 2013-07-02 10:48:55 -0600 (-0600), Kurt Seifried wrote:
>> This sounds liek it needs a CVE #. Any reason it wasn't given
>> one?
>
> As far as I'm aware, these were known shortcomings of the design
> before any of it was ever implemented, and it is still considered
> a proof-of-concept without any enforced isolation or secure
> booting solutions added yet. I suppose it could be argued whether a
> CVE should have been requested before the software was ever
> written.
>
Huh? According to: https://wiki.openstack.org/wiki/Baremetal
"This driver was added to the Grizzly release, but it should be
considered somewhat experimental at this point. See the Bugs section
for information and links to the Launchpad bug listings."
also no mention of any security issues with respect to data not being
wiped. Now I get that the software hasn't been officially blessed as
production ready, but it has been released publicly. Unless there isa
compelling reason not to assign a CVE for this (speak up now!) I'll do
so later today.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQIcBAEBAgAGBQJR0yGuAAoJEBYNRVNeJnmTeqMP/AwZ8LVlswnQxcaS69WO6g74
wFM1CIRA7lax0W6nuZmQTcxXCqajwDyYoOoT4NiKQGXHKvWh0I47Edki+GVFAXDP
5PoT5GjLB3IR6OkMHqQkiKyzLOrJkcH7v+gfqNtoniuJ+vvozFLGghfEkzknCoPX
orCfyDKCd5bow3nqyMQw3uIdBXnlRabl7vpyEPq3x+GLswElC9mW1RzEC6HK2gm7
gmFf7cAFyCkdpYzeP2XD19bOeyeEVJEadHTh15BpgRQJ0UvotYlsmgnx4g7iIu3A
JU9L6dfVFQHWZr+2x4kLzFZC3xzB4wsPGGK0Rh6/gj4ddLuZkLFIEcvYvFTtb4Fl
8m3DvCNWoRT09W6A5G16ED54AL6dan3s8CyhmpzzWABrAXTasenGKbV20cSwbzA4
xOYjEqFvfnAEZN0xgdblZC6cpbZCd6yl7CxBWhvC/xnDOwVtye6wmmcye8Mt1gaB
ML3BAO7AsPyB2WNWaHW09xC62e54YnteXEC+6hFJMAwhUUdJJ352jDExuRk2wTQJ
4dMqpnmTsTtN7fkBnJdLPQk2pfrWowdy2fZFzSGervErYLHORjIkcoI0eObj/U2n
Zss9t5csnCpzUTKnYQY4fyRSgUkRteKhAtEVwvLN/cnYRZlyMoK4lab6mW/6j05X
Ptiamk8qOrG2/G4RCpC3
=tMq5
-----END PGP SIGNATURE-----
More information about the Openstack-security
mailing list