[openstack-announce] [OSSA 2014-003] Live migration can leak root disk into ephemeral storage (CVE-2013-7130)

Grant Murphy gmurphy at redhat.com
Thu Jan 23 16:38:04 UTC 2014


OpenStack Security Advisory: 2014-003
CVE: CVE-2013-7130
Date: January 23, 2014

Title: Live migration can leak root disk into ephemeral storage
Reporter: Loganathan Parthipan (HP)
Products: Nova
Affects: All supported versions

Description:
Loganathan Parthipan from Hewlett Packard reported a vulnerability in
the Nova libvirt driver. By spawning a server with the same flavor as
another user's migrated virtual machine, an authenticated user can
potentially access that user's snapshot content resulting in information
leakage. Only setups using KVM live block migration are affected.


Icehouse (development branch) fix:
https://review.openstack.org/#/c/68658/

Havana (development branch) fix:
https://review.openstack.org/#/c/68659/

Grizzly fix:
https://review.openstack.org/#/c/68660/


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7130
https://bugs.launchpad.net/nova/+bug/1251590

-- 
Grant Murphy
OpenStack Vulnerability Management Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140124/1e424a3e/attachment.pgp>


More information about the OpenStack-announce mailing list