[OSSA-2023-002] Cinder, Glance, Nova: Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951)
Jeremy Stanley
fungi at yuggoth.org
Tue Jan 24 16:02:20 UTC 2023
========================================================================
OSSA-2023-002: Arbitrary file access through custom VMDK flat descriptor
========================================================================
:Date: January 24, 2023
:CVE: CVE-2022-47951
Affects
~~~~~~~
- Cinder, glance, nova:
Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0;
Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0;
Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0
Description
~~~~~~~~~~~
Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou
(OVH) reported a vulnerability in VMDK image processing for Cinder,
Glance and Nova. By supplying a specially created VMDK flat image
which references a specific backing file path, an authenticated user
may convince systems to return a copy of that file's contents from
the server resulting in unauthorized access to potentially sensitive
data. All Cinder deployments are affected; only Glance deployments
with image conversion enabled are affected; all Nova deployments are
affected.
Patches
~~~~~~~
- https://review.opendev.org/871631 (Train(cinder))
- https://review.opendev.org/871630 (Train(glance))
- https://review.opendev.org/871629 (Ussuri(cinder))
- https://review.opendev.org/871626 (Ussuri(glance))
- https://review.opendev.org/871628 (Victoria(cinder))
- https://review.opendev.org/871623 (Victoria(glance))
- https://review.opendev.org/871627 (Wallaby(cinder))
- https://review.opendev.org/871621 (Wallaby(glance))
- https://review.opendev.org/871625 (Xena(cinder))
- https://review.opendev.org/871619 (Xena(glance))
- https://review.opendev.org/871622 (Xena(nova))
- https://review.opendev.org/871620 (Yoga(cinder))
- https://review.opendev.org/871617 (Yoga(glance))
- https://review.opendev.org/871624 (Yoga(nova))
- https://review.opendev.org/871618 (Zed(cinder))
- https://review.opendev.org/871614 (Zed(glance))
- https://review.opendev.org/871616 (Zed(nova))
- https://review.opendev.org/871615 (2023.1/antelope(cinder))
- https://review.opendev.org/871613 (2023.1/antelope(glance))
- https://review.opendev.org/871612 (2023.1/antelope(nova))
Credits
~~~~~~~
- Guillaume Espanel from OVH (CVE-2022-47951)
- Pierre Libeau from OVH (CVE-2022-47951)
- Arnaud Morin from OVH (CVE-2022-47951)
- Damien Rannou from OVH (CVE-2022-47951)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1996188
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47951
Notes
~~~~~
- The stable/wallaby, stable/victoria, stable/ussuri, and
stable/train branches are under extended maintenance and will
receive no new point releases, but patches for them are provided
as a courtesy where possible.
--
Jeremy Stanley
OpenStack Vulnerability Management Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230124/1e53e09b/attachment.sig>
More information about the openstack-discuss
mailing list