Difference between revisions of "SVG:Advisory-SVG-2015-8964"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictio...") |
imported>Cornwall (Created page with "{{svg-header}} <pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictio...") |
(No difference)
|
Revision as of 11:22, 23 June 2015
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2015-8964
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2015-8964] Title: EGI SVG Advisory 'High' Risk - OpenStack Cinder CVE-2015-1850 [EGI-SVG- 2015-8964] Date: 2015-06-23 Updated: URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-8964 Introduction ============ Cinder is file management software which is part of OpenStack Cloud software A vulnerability has been announced in Cinder which may allow authorized users access to other users files on the Cinder server. This is only exploitable if a user is able to upload a malicious image. Since for the EGI Federated cloud only endorsed VMs are allowed, the likelihood of this being exploited at sites only supporting the EGI Federated cloud is fairly low. For sites supporting other cloud users as well as EGI Federated Cloud users, it is more serious. Details ======= By overwriting an image with a malicious qcow2 header, an authenticated user may mislead Cinder upload-to-image action, resulting in disclosure of any file from the Cinder server. All Cinder setups are affected. This is only exploitable if a user is able to upload a malicious image. In the case where sites only support the EGI Federated cloud then it is unlikely that this vulnerability can be exploited as it would require a malicious image to get endorsed, which is not particularly likely. For sites supporting other cloud users, it may put the EGI federated cloud users' files at risk of being exposed to another malicious user. Risk category ============= This issue has been assessed as 'High' by the EGI SVG Risk Assessment Team in the case where users are allowed to upload their own images when sites are supporting non-EGI Federated cloud users as well as EGI federated cloud users. Affected software ================= OpenStack Cinder Mitigation ========== For the EGI Federated Cloud, users are not generally allowed to upload their own images. Only endorsed VM images in the AppDB are allowed. Component installation information ================================== See [R 1] Recommendations =============== Sites running Cinder should update as soon as possible if they have not done so already, urgently if they support users who are not constrained by the EGI Federated cloud use cases. Credit ====== EGI SVG alerted to this vulnerability by Vincent Brillault from CERN. See [R 1] for original reporter. References ========== [R 1] https://bugs.launchpad.net/cinder/+bug/1415087 Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. Timeline ======== Yyyy-mm-dd 2015-06-17 SVG alerted to this Vulnerability by Vincent Brillault 2015-06-17 Acknowledgement from the EGI SVG 2015-06- Discussion with Fed Cloud expert and risk assessment. 2015-06-22 Advisory drafted 2015-06-23 Advisory sent to sites. On behalf of the EGI SVG,