[OSSA-2023-002] Cinder, Glance, Nova: Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951)
======================================================================== OSSA-2023-002: Arbitrary file access through custom VMDK flat descriptor ======================================================================== :Date: January 24, 2023 :CVE: CVE-2022-47951 Affects ~~~~~~~ - Cinder, glance, nova: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0; Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0; Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0 Description ~~~~~~~~~~~ Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou (OVH) reported a vulnerability in VMDK image processing for Cinder, Glance and Nova. By supplying a specially created VMDK flat image which references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server resulting in unauthorized access to potentially sensitive data. All Cinder deployments are affected; only Glance deployments with image conversion enabled are affected; all Nova deployments are affected. Patches ~~~~~~~ - https://review.opendev.org/871631 (Train(cinder)) - https://review.opendev.org/871630 (Train(glance)) - https://review.opendev.org/871629 (Ussuri(cinder)) - https://review.opendev.org/871626 (Ussuri(glance)) - https://review.opendev.org/871628 (Victoria(cinder)) - https://review.opendev.org/871623 (Victoria(glance)) - https://review.opendev.org/871627 (Wallaby(cinder)) - https://review.opendev.org/871621 (Wallaby(glance)) - https://review.opendev.org/871625 (Xena(cinder)) - https://review.opendev.org/871619 (Xena(glance)) - https://review.opendev.org/871622 (Xena(nova)) - https://review.opendev.org/871620 (Yoga(cinder)) - https://review.opendev.org/871617 (Yoga(glance)) - https://review.opendev.org/871624 (Yoga(nova)) - https://review.opendev.org/871618 (Zed(cinder)) - https://review.opendev.org/871614 (Zed(glance)) - https://review.opendev.org/871616 (Zed(nova)) - https://review.opendev.org/871615 (2023.1/antelope(cinder)) - https://review.opendev.org/871613 (2023.1/antelope(glance)) - https://review.opendev.org/871612 (2023.1/antelope(nova)) Credits ~~~~~~~ - Guillaume Espanel from OVH (CVE-2022-47951) - Pierre Libeau from OVH (CVE-2022-47951) - Arnaud Morin from OVH (CVE-2022-47951) - Damien Rannou from OVH (CVE-2022-47951) References ~~~~~~~~~~ - https://launchpad.net/bugs/1996188 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47951 Notes ~~~~~ - The stable/wallaby, stable/victoria, stable/ussuri, and stable/train branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy where possible. -- Jeremy Stanley OpenStack Vulnerability Management Team
On 1/24/23 17:02, Jeremy Stanley wrote:
======================================================================== OSSA-2023-002: Arbitrary file access through custom VMDK flat descriptor ========================================================================
:Date: January 24, 2023 :CVE: CVE-2022-47951
Affects ~~~~~~~ - Cinder, glance, nova: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0; Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0; Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0
FYI, I patched all Debian packages from Rocky to Zed. That's 9 flavors of OpenStack times 3 packages, plus 2 versions of oslo.utils (needed for Rocky and Stein), so that's a total of 29 packages. Packages were uploaded to official buster-security (Debian LTS), bullseye-security (for which I just received the security announce, closing this chapter) and unstable. The same work was done for Swift. Note that some of the flavors above (namely Train, Ussuri, Victoria and Xena) were pushed to my employer's (Infomaniak) production cloud without any issue. FYI, I plan to support from Rocky to Zed the above way until Debian Buster (LTS) is EOL. I hope all Debian users appreciate the amount of work I've put into this, and hope this will get more traction to Debian, knowing we are now engaged in a 5 years support. Also thanks for everyone that helped me on IRC (in the Nova and Cinder channels). Best regards, Thomas Goirand (zigo)
On 2023-02-01 21:15:34 +0100 (+0100), Thomas Goirand wrote: [...]
I hope all Debian users appreciate the amount of work I've put into this, and hope this will get more traction to Debian, knowing we are now engaged in a 5 years support. [...]
That's awesome news! Thanks for being so thorough with security fixes. I'm also still keen to reignite discussions on the spi-general ML about having Debian (or SPI on Debian's behalf) as an Associate Member of the OpenInfra Foundation so that we can more easily justify joint marketing efforts, but now that I'm on the SPI board of directors I have a clear conflict of interest and can't really drive that conversation. I'm hoping we can find more official Debian Developers to chime in on the discussion this time, so am eager to hear from anyone willing to help with that effort. -- Jeremy Stanley
On 2/2/23 07:15, Thomas Goirand wrote:> FYI, I plan to support from Rocky to Zed the above way until Debian
Buster (LTS) is EOL. I hope all Debian users appreciate the amount of work I've put into this, and hope this will get more traction to Debian, knowing we are now engaged in a 5 years support.
Hi Thomas, We, downstream users using the packages, definitely appreciate the hard work you have put into packaging. Cheers, Jake
participants (3)
-
Jake Yip
-
Jeremy Stanley
-
Thomas Goirand