OSSA-2014-033: Cinder-volume host data leak to vm instance

Date:

October 02, 2014

CVE:

CVE-2014-3641

Affects

• Cinder: up to 2014.1.2

Description

Duncan Thomas from Hewlett Packard reported a vulnerability in Cinder GlusterFS and Linux Smbfs drivers. By overwriting a volume from within an instance with a malicious qcow2 header, an authenticated user may be able to clone and attach that corrupted volume resulting in affected drivers leaking an arbitrary file from the Cinder-volume host to the virtual instance. Note that the host file must be readable by the Cinder context to be exposed. Only Cinder setups using GlusterFS volume driver configured with glusterfs_qcow2_volumes=False (which is the default) or Cinder setups using Smbfs volume driver configured with smbfs_default_volume_format=raw (which is not the default) are affected.

Patches

• https://review.openstack.org/125710 (Icehouse)

• https://review.openstack.org/125671 (Juno)

Credits

• Duncan Thomas from Hewlett Packard (CVE-2014-3641)

References

• https://launchpad.net/bugs/1350504

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3641