SVG:Advisory-SVG-2015-8964

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2015-8964



** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI SVG   ADVISORY [EGI-SVG-2015-8964] 

Title:       EGI SVG Advisory 'High' Risk - OpenStack Cinder CVE-2015-1850  [EGI-SVG-

2015-8964]

Date:        2015-06-23 
Updated:     


URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-8964


Introduction
============

Cinder is file management software which is part of OpenStack Cloud software  

A vulnerability has been announced in Cinder which may allow authorized users access 
to other users files on the Cinder server.  

This is only exploitable if a user is able to upload a malicious image. Since for the 
EGI Federated cloud only endorsed VMs are allowed, the likelihood of this being 
exploited at sites only supporting the EGI Federated cloud is fairly low. For sites 
supporting other cloud users as well as EGI Federated Cloud users, it is more serious.


Details
=======

By overwriting an image with a malicious qcow2 header, an authenticated user may 
mislead Cinder upload-to-image action, resulting in disclosure of any file from the 
Cinder server. All Cinder setups are affected.

This is only exploitable if a user is able to upload a malicious image. In the case 
where sites only support the EGI Federated cloud then it is unlikely that this 
vulnerability can be exploited as it would require a malicious image to get endorsed, 
which is not particularly likely. For sites supporting other cloud users, it may put 
the EGI federated cloud users' files at risk of being exposed to another malicious user.   



Risk category
=============

This issue has been assessed as 'High' by the EGI SVG Risk Assessment Team in the case 
where users are allowed to upload their own images when sites are supporting non-EGI 
Federated cloud users as well as EGI federated cloud users.   


Affected software
=================

OpenStack Cinder


Mitigation
==========

For the EGI Federated Cloud, users are not generally allowed to upload their own 
images. Only endorsed VM images in the AppDB are allowed. 


Component installation information
==================================

See [R 1]


Recommendations
===============

Sites running Cinder should update as soon as possible if they have not done so 
already, urgently if they support users who are not constrained by the EGI Federated 
cloud use cases. 


Credit
======

EGI SVG alerted to this vulnerability by Vincent Brillault from CERN. 

See [R 1] for original reporter.

References
==========

[R 1] https://bugs.launchpad.net/cinder/+bug/1415087

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

We are currently revising the vulnerability issue handling procedure so suggestions 
and comments are welcome. 



Timeline  
========
Yyyy-mm-dd

2015-06-17 SVG alerted to this Vulnerability by Vincent Brillault 
2015-06-17 Acknowledgement from the EGI SVG 
2015-06-   Discussion with Fed Cloud expert and risk assessment. 
2015-06-22 Advisory drafted
2015-06-23 Advisory sent to sites.




On behalf of the EGI SVG,