Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 8 Mar 2016 20:16:39 +0000
From: Tristan Cacqueray <>
Subject: [OSSA 2016-007] Nova host data leak through resize/migration

OSSA-2016-007: Nova host data leak through resize/migration

:Date: March 08, 2016
:CVE: CVE-2016-2140

- Nova: <=2015.1.3, >=12.0.0 <=12.0.2

Matthew Booth from Red Hat reported a vulnerability in Nova instance
resize/migration. By overwriting an ephemeral or root disk with a
malicious image before requesting a resize, an authenticated user may
be able to read arbitrary files from the compute host. Only setups
using libvirt driver with raw storage and setting "use_cow_images =
False" (not default) are affected.

- (Kilo)
- (Liberty)
- (Mitaka)

- Matthew Booth from Red Hat (CVE-2016-2140)


- This fix will be included in future 2015.1.3 (kilo) and 12.0.3
  (liberty) releases.

Tristan Cacqueray
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ