OpenStack Security Advisory: 2014-033 CVE: CVE-2014-3641 Date: October 02, 2014 Title: Cinder-volume host data leak to vm instance Reporter: Duncan Thomas (HP) Products: Cinder Versions: up to 2014.1.2

Description: Duncan Thomas from Hewlett Packard reported a vulnerability in Cinder GlusterFS and Linux Smbfs drivers. By overwriting a volume from within an instance with a malicious qcow2 header, an authenticated user may be able to clone and attach that corrupted volume resulting in affected drivers leaking an arbitrary file from the Cinder-volume host to the virtual instance. Note that the host file must be readable by the Cinder context to be exposed. Only Cinder setups using GlusterFS volume driver configured with glusterfs_qcow2_volumes=False (which is the default) or Cinder setups using Smbfs volume driver configured with smbfs_default_volume_format=raw (which is not the default) are affected.

Juno (development branch) fix: https://review.openstack.org/125671

Icehouse fix: https://review.openstack.org/125710

Notes: This fix will be included in the Juno release 2014.2 and in the upcoming 2014.1.3 release.

References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3641 https://launchpad.net/bugs/1350504

-- Tristan Cacqueray OpenStack Vulnerability Management Team