Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 499056 (CVE-2013-7130)

Summary: <sys-cluster/nova-{2013.1.4-r4,2013.2.1-r2} : Live migration can leak root disk into ephemeral storage[OSSA 2014-003] (CVE-2013-7130)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: openstack, prometheanfire
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2014/01/23/5
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-01-23 16:56:59 UTC
From ${URL} :

OpenStack Security Advisory: 2014-003
CVE: CVE-2013-7130
Date: January 23, 2014

Title: Live migration can leak root disk into ephemeral storage
Reporter: Loganathan Parthipan (HP)
Products: Nova
Affects: All supported versions

Description:
Loganathan Parthipan from Hewlett Packard reported a vulnerability in
the Nova libvirt driver. By spawning a server with the same flavor as
another user's migrated virtual machine, an authenticated user can
potentially access that user's snapshot content resulting in information
leakage. Only setups using KVM live block migration are affected.


Icehouse (development branch) fix:
https://review.openstack.org/#/c/68658/

Havana (development branch) fix:
https://review.openstack.org/#/c/68659/

Grizzly fix:
https://review.openstack.org/#/c/68660/


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7130
https://bugs.launchpad.net/nova/+bug/1251590


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-04-10 21:45:51 UTC
CVE-2013-7130 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7130):
  The i_create_images_and_backing (aka create_images_and_backing) method in
  libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse,
  when using KVM live block migration, does not properly create all expected
  files, which allows attackers to obtain snapshot root disk contents of other
  users via ephemeral storage.