Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 24 Jan 2023 16:08:18 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2023-002] Cinder, Glance, Nova: Arbitrary file access through
 custom VMDK flat descriptor (CVE-2022-47951)

========================================================================
OSSA-2023-002: Arbitrary file access through custom VMDK flat descriptor
========================================================================

:Date: January 24, 2023
:CVE: CVE-2022-47951


Affects
~~~~~~~
- Cinder, glance, nova:
  Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0;
  Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0;
  Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0


Description
~~~~~~~~~~~
Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou
(OVH) reported a vulnerability in VMDK image processing for Cinder,
Glance and Nova. By supplying a specially created VMDK flat image
which references a specific backing file path, an authenticated user
may convince systems to return a copy of that file's contents from
the server resulting in unauthorized access to potentially sensitive
data. All Cinder deployments are affected; only Glance deployments
with image conversion enabled are affected; all Nova deployments are
affected.


Patches
~~~~~~~
- https://review.opendev.org/871631 (Train(cinder))
- https://review.opendev.org/871630 (Train(glance))
- https://review.opendev.org/871629 (Ussuri(cinder))
- https://review.opendev.org/871626 (Ussuri(glance))
- https://review.opendev.org/871628 (Victoria(cinder))
- https://review.opendev.org/871623 (Victoria(glance))
- https://review.opendev.org/871627 (Wallaby(cinder))
- https://review.opendev.org/871621 (Wallaby(glance))
- https://review.opendev.org/871625 (Xena(cinder))
- https://review.opendev.org/871619 (Xena(glance))
- https://review.opendev.org/871622 (Xena(nova))
- https://review.opendev.org/871620 (Yoga(cinder))
- https://review.opendev.org/871617 (Yoga(glance))
- https://review.opendev.org/871624 (Yoga(nova))
- https://review.opendev.org/871618 (Zed(cinder))
- https://review.opendev.org/871614 (Zed(glance))
- https://review.opendev.org/871616 (Zed(nova))
- https://review.opendev.org/871615 (2023.1/antelope(cinder))
- https://review.opendev.org/871613 (2023.1/antelope(glance))
- https://review.opendev.org/871612 (2023.1/antelope(nova))


Credits
~~~~~~~
- Guillaume Espanel from OVH (CVE-2022-47951)
- Pierre Libeau from OVH (CVE-2022-47951)
- Arnaud Morin from OVH (CVE-2022-47951)
- Damien Rannou from OVH (CVE-2022-47951)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1996188
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47951


Notes
~~~~~
- The stable/wallaby, stable/victoria, stable/ussuri, and
  stable/train branches are under extended maintenance and will
  receive no new point releases, but patches for them are provided
  as a courtesy where possible.

-- 
Jeremy Stanley
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.