[openstack-announce] [OSSA-2023-002] Cinder, Glance, Nova: Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951)
Thomas Goirand
zigo at debian.org
Wed Feb 1 20:15:34 UTC 2023
On 1/24/23 17:02, Jeremy Stanley wrote:
> ========================================================================
> OSSA-2023-002: Arbitrary file access through custom VMDK flat descriptor
> ========================================================================
>
> :Date: January 24, 2023
> :CVE: CVE-2022-47951
>
>
> Affects
> ~~~~~~~
> - Cinder, glance, nova:
> Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0;
> Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0;
> Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0
FYI, I patched all Debian packages from Rocky to Zed. That's 9 flavors
of OpenStack times 3 packages, plus 2 versions of oslo.utils (needed for
Rocky and Stein), so that's a total of 29 packages. Packages were
uploaded to official buster-security (Debian LTS), bullseye-security
(for which I just received the security announce, closing this chapter)
and unstable. The same work was done for Swift.
Note that some of the flavors above (namely Train, Ussuri, Victoria and
Xena) were pushed to my employer's (Infomaniak) production cloud without
any issue.
FYI, I plan to support from Rocky to Zed the above way until Debian
Buster (LTS) is EOL. I hope all Debian users appreciate the amount of
work I've put into this, and hope this will get more traction to Debian,
knowing we are now engaged in a 5 years support.
Also thanks for everyone that helped me on IRC (in the Nova and Cinder
channels).
Best regards,
Thomas Goirand (zigo)
More information about the openstack-discuss
mailing list