oss-sec mailing list archives
CVE request for a vulnerability in OpenStack Nova
From: Thierry Carrez <thierry () openstack org>
Date: Wed, 11 Dec 2013 15:43:30 +0100
A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. """ Title: Nova live snapshots use an insecure local directory Reporter: Daniel Berrange (Red Hat) Products: Nova Affects: Grizzly and later Description: Daniel Berrange from Red Hat reported that the directories used to temporarily store live snapshots on Nova compute nodes were writeable to all local users. A local attacker with shell access on compute nodes could therefore read and modify the contents of live snapshots before those are uploaded to the image service. """ References: https://bugs.launchpad.net/nova/+bug/1227027 Thanks in advance, -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request for a vulnerability in OpenStack Nova Jeremy Stanley (Nov 03)
- Re: CVE request for a vulnerability in OpenStack Nova Kurt Seifried (Nov 03)
- <Possible follow-ups>
- CVE request for a vulnerability in OpenStack Nova Thierry Carrez (Dec 11)
- Re: CVE request for a vulnerability in OpenStack Nova cve-assign (Dec 11)