yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #10651
[Bug 1251590] Re: [OSSA 2014-003] Live migration can leak root disk into ephemeral storage (CVE-2013-7130)
** Changed in: nova
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1251590
Title:
[OSSA 2014-003] Live migration can leak root disk into ephemeral
storage (CVE-2013-7130)
Status in OpenStack Compute (Nova):
Fix Released
Status in OpenStack Compute (nova) grizzly series:
Fix Committed
Status in OpenStack Compute (nova) havana series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
During pre-live-migration required disks are created along with their
backing files (if they don't already exist). However, the ephemeral
backing file is created from a glance downloaded root disk.
# If the required ephemeral backing file is present then there's no
issue.
# If the required ephemeral backing file is not already present, then
the root disk is downloaded and saved as the ephemeral backing file.
This will result in the following situations:
## The disk.local transferred during live-migration will be rebased on the ephemeral backing file so regardless of the content, the end result will be identical to the source disk.local.
## However, if a new instance of the same flavor is spawned on this compute node, then it will have an ephemeral storage that exposes a root disk.
Security concerns:
If the migrated VM was spawned off a snapshot, now it's possible for
any instances of the correct flavor to see the snapshot contents of
another user via the ephemeral storage.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1251590/+subscriptions