OSSA-2013-001: Boot from volume allows access to random volumes¶
January 29, 2013
Nova: Essex, Folsom
Phil Day from HP reported a vulnerability in volume attachment in nova-volume, affecting the boot-from-volume feature. By passing a specific volume ID, an authenticated user may be able to boot from a volume he doesn’t own, potentially resulting in full access to that 3rd-party volume contents. Folsom setups making use of Cinder are not affected.
Phil Day from HP (CVE-2013-0208)