From ${URL} : OpenStack Security Advisory: 2014-003 CVE: CVE-2013-7130 Date: January 23, 2014 Title: Live migration can leak root disk into ephemeral storage Reporter: Loganathan Parthipan (HP) Products: Nova Affects: All supported versions Description: Loganathan Parthipan from Hewlett Packard reported a vulnerability in the Nova libvirt driver. By spawning a server with the same flavor as another user's migrated virtual machine, an authenticated user can potentially access that user's snapshot content resulting in information leakage. Only setups using KVM live block migration are affected. Icehouse (development branch) fix: https://review.openstack.org/#/c/68658/ Havana (development branch) fix: https://review.openstack.org/#/c/68659/ Grizzly fix: https://review.openstack.org/#/c/68660/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7130 https://bugs.launchpad.net/nova/+bug/1251590 @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
CVE-2013-7130 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7130): The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root disk contents of other users via ephemeral storage.
