From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


** WHITE information - Unlimited distribution allowed                       **  

** see for distribution restrictions **


Title:       EGI SVG Advisory 'High' Risk - OpenStack Cinder CVE-2015-1850  [EGI-SVG-


Date:        2015-06-23 



Cinder is file management software which is part of OpenStack Cloud software  

A vulnerability has been announced in Cinder which may allow authorized users access 
to other users files on the Cinder server.  

This is only exploitable if a user is able to upload a malicious image. Since for the 
EGI Federated cloud only endorsed VMs are allowed, the likelihood of this being 
exploited at sites only supporting the EGI Federated cloud is fairly low. For sites 
supporting other cloud users as well as EGI Federated Cloud users, it is more serious.


By overwriting an image with a malicious qcow2 header, an authenticated user may 
mislead Cinder upload-to-image action, resulting in disclosure of any file from the 
Cinder server. All Cinder setups are affected.

This is only exploitable if a user is able to upload a malicious image. In the case 
where sites only support the EGI Federated cloud then it is unlikely that this 
vulnerability can be exploited as it would require a malicious image to get endorsed, 
which is not particularly likely. For sites supporting other cloud users, it may put 
the EGI federated cloud users' files at risk of being exposed to another malicious user.   

Risk category

This issue has been assessed as 'High' by the EGI SVG Risk Assessment Team in the case 
where users are allowed to upload their own images when sites are supporting non-EGI 
Federated cloud users as well as EGI federated cloud users.   

Affected software

OpenStack Cinder


For the EGI Federated Cloud, users are not generally allowed to upload their own 
images. Only endorsed VM images in the AppDB are allowed. 

Component installation information

See [R 1]


Sites running Cinder should update as soon as possible if they have not done so 
already, urgently if they support users who are not constrained by the EGI Federated 
cloud use cases. 


EGI SVG alerted to this vulnerability by Vincent Brillault from CERN. 

See [R 1] for original reporter.


[R 1]


Comments or questions should be sent to svg-rat  at

We are currently revising the vulnerability issue handling procedure so suggestions 
and comments are welcome. 


2015-06-17 SVG alerted to this Vulnerability by Vincent Brillault 
2015-06-17 Acknowledgement from the EGI SVG 
2015-06-   Discussion with Fed Cloud expert and risk assessment. 
2015-06-22 Advisory drafted
2015-06-23 Advisory sent to sites.

On behalf of the EGI SVG,