Bug 899198 - (CVE-2014-3641) VUL-0: CVE-2014-3641: openstack-cinder: Cinder-volume host data leak to vm instance
VUL-0: CVE-2014-3641: openstack-cinder: Cinder-volume host data leak to vm in...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Bernhard Wiedemann
Security Team bot
maint:running:59124:low maint:releas...
Depends on:
  Show dependency treegraph
Reported: 2014-09-30 15:10 UTC by Marcus Meissner
Modified: 2015-03-05 08:02 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

cve-2014-3641-master-juno.patch (13.21 KB, patch)
2014-09-30 15:10 UTC, Marcus Meissner
Details | Diff
cve-2014-3641-stable-icehouse.patch (9.85 KB, patch)
2014-09-30 15:11 UTC, Marcus Meissner
Details | Diff
cve-2014-3641-master-juno-windows-smbfs.patch (1.37 KB, patch)
2014-10-01 09:24 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-30 15:10:19 UTC
via direct contact, embargoed until Oct 2nd 2014, 1500UTC

This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Title: Cinder-volume host data leak to vm instance
Reporter: Duncan Thomas (HP)
Products: Cinder
Versions: up to 2014.1.2

Duncan Thomas from Hewlett Packard reported a vulnerability in Cinder
GlusterFS and Linux Smbfs driver. By overwriting a volume from within an
instance with a malicious qcow2 header, an authenticated user may be
able to clone and attach that corrupted volume resulting in affected
drivers leaking an arbitrary file from the Cinder-volume host to the
virtual instance. Note that the host file must be readable by the Cinder
context to be exposed. Only Cinder setups using GlusterFS volume driver
configured with glusterfs_qcow2_volumes=False (which is the default) or
Cinder setups using Smbfs volume driver configured with
smbfs_default_volume_format=raw (which is not the default) are affected.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/icehouse and master (Juno Development branch)
on the public disclosure date.

CVE: CVE-2014-3641

Proposed public disclosure date/time:
2014-10-02, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.


Tristan Cacqueray
OpenStack Vulnerability Management Team
Comment 1 Marcus Meissner 2014-09-30 15:10:47 UTC
Created attachment 608540 [details]

Comment 2 Marcus Meissner 2014-09-30 15:11:14 UTC
Created attachment 608541 [details]

Comment 3 SMASH SMASH 2014-10-01 06:50:11 UTC
Affected packages:

SLE-11-SP3-CL4: openstack-cinder
SLE-11-SP3-UPTU: openstack-cinder
Comment 4 Marcus Meissner 2014-10-01 09:24:36 UTC
Created attachment 608636 [details]

received an incremental patch that makes smbfs work again
Comment 5 Swamp Workflow Management 2014-10-01 12:08:06 UTC
bugbot adjusting priority
Comment 8 Swamp Workflow Management 2014-11-20 18:06:01 UTC
SUSE-SU-2014:1467-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (low)
Bug References: 883950,894055,897815,899190,899198
CVE References: CVE-2014-3641,CVE-2014-7230,CVE-2014-7231
Sources used:
SUSE Cloud 4 (src):    openstack-cinder-2014.1.4.dev19.g80c0054-0.7.1, openstack-cinder-doc-2014.1.4.dev19.g80c0054-0.7.1
Comment 10 Marcus Meissner 2015-03-05 08:02:41 UTC
clpoud 4 fixed, cloud 5 hoepfully too.