Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1390495104.8188.18.camel@lappy>
Date: Fri, 24 Jan 2014 02:38:24 +1000
From: Grant Murphy <gmurphy@...hat.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-003] Live migration can leak root disk into ephemeral
 storage (CVE-2013-7130)

OpenStack Security Advisory: 2014-003
CVE: CVE-2013-7130
Date: January 23, 2014

Title: Live migration can leak root disk into ephemeral storage
Reporter: Loganathan Parthipan (HP)
Products: Nova
Affects: All supported versions

Description:
Loganathan Parthipan from Hewlett Packard reported a vulnerability in
the Nova libvirt driver. By spawning a server with the same flavor as
another user's migrated virtual machine, an authenticated user can
potentially access that user's snapshot content resulting in information
leakage. Only setups using KVM live block migration are affected.


Icehouse (development branch) fix:
https://review.openstack.org/#/c/68658/

Havana (development branch) fix:
https://review.openstack.org/#/c/68659/

Grizzly fix:
https://review.openstack.org/#/c/68660/


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7130
https://bugs.launchpad.net/nova/+bug/1251590

-- 
Grant Murphy
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (231 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.