[OSSA-2024-001] OpenStack Cinder, Glance, Nova: Arbitrary file access through custom QCOW2 external data (CVE-2024-32498)

2 Jul 2024

      =======================================================================
OSSA-2024-001: Arbitrary file access through custom QCOW2 external data
=======================================================================

:Date: July 02, 2024
:CVE: CVE-2024-32498

Affects
~~~~~~~
- Cinder: <22.1.3, >=23.0.0 <23.1.1, ==24.0.0
- Glance: <26.0.1, ==27.0.0, >=28.0.0 <28.0.2
- Nova: <27.3.1, >=28.0.0 <28.1.1, >=29.0.0 <29.0.3

Description
~~~~~~~~~~~
Martin Kaesberger reported a vulnerability in QCOW2 image processing
for Cinder, Glance and Nova. By supplying a specially created QCOW2
image which references a specific data file path, an authenticated
user may convince systems to return a copy of that file's contents
from the server resulting in unauthorized access to potentially
sensitive data. All Cinder deployments are affected; only Glance
deployments with image conversion enabled are affected; all Nova
deployments are affected.

Patches
~~~~~~~
- https://review.opendev.org/923247 (2023.1/antelope(cinder))
- https://review.opendev.org/923277 (2023.1/antelope(glance))
- https://review.opendev.org/923278 (2023.1/antelope(glance))
- https://review.opendev.org/923279 (2023.1/antelope(glance))
- https://review.opendev.org/923280 (2023.1/antelope(glance))
- https://review.opendev.org/923281 (2023.1/antelope(glance))
- https://review.opendev.org/923282 (2023.1/antelope(glance))
- https://review.opendev.org/923283 (2023.1/antelope(glance))
- https://review.opendev.org/923288 (2023.1/antelope(nova))
- https://review.opendev.org/923289 (2023.1/antelope(nova))
- https://review.opendev.org/923290 (2023.1/antelope(nova))
- https://review.opendev.org/923281 (2023.1/antelope(nova))
- https://review.opendev.org/923246 (2023.2/bobcat(cinder))
- https://review.opendev.org/923266 (2023.2/bobcat(glance))
- https://review.opendev.org/923267 (2023.2/bobcat(glance))
- https://review.opendev.org/923268 (2023.2/bobcat(glance))
- https://review.opendev.org/923269 (2023.2/bobcat(glance))
- https://review.opendev.org/923270 (2023.2/bobcat(glance))
- https://review.opendev.org/923271 (2023.2/bobcat(glance))
- https://review.opendev.org/923272 (2023.2/bobcat(glance))
- https://review.opendev.org/923284 (2023.2/bobcat(nova))
- https://review.opendev.org/923285 (2023.2/bobcat(nova))
- https://review.opendev.org/923286 (2023.2/bobcat(nova))
- https://review.opendev.org/923287 (2023.2/bobcat(nova))
- https://review.opendev.org/923245 (2024.1/caracal(cinder))
- https://review.opendev.org/923259 (2024.1/caracal(glance))
- https://review.opendev.org/923260 (2024.1/caracal(glance))
- https://review.opendev.org/923261 (2024.1/caracal(glance))
- https://review.opendev.org/923262 (2024.1/caracal(glance))
- https://review.opendev.org/923263 (2024.1/caracal(glance))
- https://review.opendev.org/923264 (2024.1/caracal(glance))
- https://review.opendev.org/923265 (2024.1/caracal(glance))
- https://review.opendev.org/923273 (2024.1/caracal(nova))
- https://review.opendev.org/923274 (2024.1/caracal(nova))
- https://review.opendev.org/923275 (2024.1/caracal(nova))
- https://review.opendev.org/923276 (2024.1/caracal(nova))
- https://review.opendev.org/923244 (2024.2/dalmatian(cinder))
- https://review.opendev.org/923248 (2024.2/dalmatian(glance))
- https://review.opendev.org/923249 (2024.2/dalmatian(glance))
- https://review.opendev.org/923250 (2024.2/dalmatian(glance))
- https://review.opendev.org/923251 (2024.2/dalmatian(glance))
- https://review.opendev.org/923252 (2024.2/dalmatian(glance))
- https://review.opendev.org/923253 (2024.2/dalmatian(glance))
- https://review.opendev.org/923254 (2024.2/dalmatian(glance))
- https://review.opendev.org/923255 (2024.2/dalmatian(nova))
- https://review.opendev.org/923256 (2024.2/dalmatian(nova))
- https://review.opendev.org/923257 (2024.2/dalmatian(nova))
- https://review.opendev.org/923258 (2024.2/dalmatian(nova))

Credits
~~~~~~~
- Martin Kaesberger (CVE-2024-32498)

References
~~~~~~~~~~
- https://launchpad.net/bugs/2059809
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32498

Notes
~~~~~
- Due to the scope of the problem and complexity of the resulting
  fixes, regressions and additional bypasses were reported in the
  original bug by downstream stakeholders during the coordinated
  disclosure period. As a result, our initially chosen publication
  date was rescheduled, which put the advisory four days past our
  promised ninety day maximum embargo length. Additional revised
  patches and regression fixes were supplied to stakeholders as soon
  as possible, but we understand the unfortunate timing of these
  last-minute changes resulted in a lot of additional work for
  everyone involved.

-- 
Jeremy Stanley
OpenStack Vulnerability Management Team

Jeremy Stanley

Thomas Goirand

tags

participants (2)