-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-001 CVE: CVE-2013-0208 Date: January 29, 2013 Title: Boot from volume allows access to random volumes Reporter: Phil Day (HP) Products: Nova Affects: Essex, Folsom Description: Phil Day from HP reported a vulnerability in volume attachment in nova-volume, affecting the boot-from-volume feature. By passing a specific volume ID, an authenticated user may be able to boot from a volume he doesn't own, potentially resulting in full access to that 3rd-party volume contents. Folsom setups making use of Cinder are not affected. Folsom fix (included in upcoming Nova 2012.2.3 stable update): http://github.com/openstack/nova/commit/317cc0af385536dee43ef2addad50a91357f... Essex fix: http://github.com/openstack/nova/commit/243d516cea9d3caa5a8267b12d2f577dcb24... References: https://bugs.launchpad.net/nova/+bug/1069904 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0208 - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJRCCZCAAoJEFB6+JAlsQQjDSYQALrBUhPwUbxFtVrTSGhjDK7A Donl1ykZy1CtsykGiXa5NuREw+xtoKZl/NteLDVRo/C0tWcGe2L2rk5FxMboKdRu 2I0CXXQ65liHySvZqzlZE6M5TfAhGWCJBOpZArbF6PcB/ZP/F/a/2/BU6HbHonSn g58Lq8wKK2JErU5djee9B22wkUTlxiZv2JThOGr/VRoR2F3Zxdmd3UbBC+9Db5tg OQMBHlGLXgSCvUZBkzMZwyfxvovf6fpTlmFU/8Ff9OWA4fMxtpsybIcD9BoaLZAd 2U2/f5qoIbh3soZGF5DH1ucVym0js8NtAf9E+9FVzg2SfHX0sF8Qo1sLowEb/43d n8WdBQBYLzfLjKqDGkvNUjfhDHkzO6ujekUQCdMtADBk1tBI6IdfSzyJkhMWXF5S Rs3Fpkr1gkXq0xuNf9UQPuA1op2TiBxKa5Z8svOfXnHa7m/NOsYHJ3S4hL5e9E6S osJ5LlZDvX+xUGIzRTpViAx0YGwNykRlInhtLJrAoKLWWV/3EA9ap4Bl6XB/ZFsO UbUeCDGpepAianOnx2S6p7JhERkcT7R0DHVWI7b5U5hPemt1B6bfkTzgwpwIstDv XtSwzVvUuNMfDUG2bMSfXmPqdzZBwdh4iKjIJzT5PecFQ5qBOJOvhF5/aCB2UtI2 LaVsd1b7v/7C3ln4j/bB =eX8i -----END PGP SIGNATURE-----