oss-security - [OSSA-2024-001] OpenStack Cinder, Glance, Nova: Arbitrary file access through custom QCOW2 external data (CVE-2024-32498)

Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20240702150121.fxt4445gwlrxwk3r@yuggoth.org>
Date: Tue, 2 Jul 2024 15:01:21 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2024-001] OpenStack Cinder, Glance, Nova: Arbitrary file
 access through custom QCOW2 external data (CVE-2024-32498)

=======================================================================
OSSA-2024-001: Arbitrary file access through custom QCOW2 external data
=======================================================================

:Date: July 02, 2024
:CVE: CVE-2024-32498


Affects
~~~~~~~
- Cinder: <22.1.3, >=23.0.0 <23.1.1, ==24.0.0
- Glance: <26.0.1, ==27.0.0, >=28.0.0 <28.0.2
- Nova: <27.3.1, >=28.0.0 <28.1.1, >=29.0.0 <29.0.3


Description
~~~~~~~~~~~
Martin Kaesberger reported a vulnerability in QCOW2 image processing
for Cinder, Glance and Nova. By supplying a specially created QCOW2
image which references a specific data file path, an authenticated
user may convince systems to return a copy of that file's contents
from the server resulting in unauthorized access to potentially
sensitive data. All Cinder deployments are affected; only Glance
deployments with image conversion enabled are affected; all Nova
deployments are affected.



Patches
~~~~~~~
- https://review.opendev.org/923247 (2023.1/antelope(cinder))
- https://review.opendev.org/923277 (2023.1/antelope(glance))
- https://review.opendev.org/923278 (2023.1/antelope(glance))
- https://review.opendev.org/923279 (2023.1/antelope(glance))
- https://review.opendev.org/923280 (2023.1/antelope(glance))
- https://review.opendev.org/923281 (2023.1/antelope(glance))
- https://review.opendev.org/923282 (2023.1/antelope(glance))
- https://review.opendev.org/923283 (2023.1/antelope(glance))
- https://review.opendev.org/923288 (2023.1/antelope(nova))
- https://review.opendev.org/923289 (2023.1/antelope(nova))
- https://review.opendev.org/923290 (2023.1/antelope(nova))
- https://review.opendev.org/923281 (2023.1/antelope(nova))
- https://review.opendev.org/923246 (2023.2/bobcat(cinder))
- https://review.opendev.org/923266 (2023.2/bobcat(glance))
- https://review.opendev.org/923267 (2023.2/bobcat(glance))
- https://review.opendev.org/923268 (2023.2/bobcat(glance))
- https://review.opendev.org/923269 (2023.2/bobcat(glance))
- https://review.opendev.org/923270 (2023.2/bobcat(glance))
- https://review.opendev.org/923271 (2023.2/bobcat(glance))
- https://review.opendev.org/923272 (2023.2/bobcat(glance))
- https://review.opendev.org/923284 (2023.2/bobcat(nova))
- https://review.opendev.org/923285 (2023.2/bobcat(nova))
- https://review.opendev.org/923286 (2023.2/bobcat(nova))
- https://review.opendev.org/923287 (2023.2/bobcat(nova))
- https://review.opendev.org/923245 (2024.1/caracal(cinder))
- https://review.opendev.org/923259 (2024.1/caracal(glance))
- https://review.opendev.org/923260 (2024.1/caracal(glance))
- https://review.opendev.org/923261 (2024.1/caracal(glance))
- https://review.opendev.org/923262 (2024.1/caracal(glance))
- https://review.opendev.org/923263 (2024.1/caracal(glance))
- https://review.opendev.org/923264 (2024.1/caracal(glance))
- https://review.opendev.org/923265 (2024.1/caracal(glance))
- https://review.opendev.org/923273 (2024.1/caracal(nova))
- https://review.opendev.org/923274 (2024.1/caracal(nova))
- https://review.opendev.org/923275 (2024.1/caracal(nova))
- https://review.opendev.org/923276 (2024.1/caracal(nova))
- https://review.opendev.org/923244 (2024.2/dalmatian(cinder))
- https://review.opendev.org/923248 (2024.2/dalmatian(glance))
- https://review.opendev.org/923249 (2024.2/dalmatian(glance))
- https://review.opendev.org/923250 (2024.2/dalmatian(glance))
- https://review.opendev.org/923251 (2024.2/dalmatian(glance))
- https://review.opendev.org/923252 (2024.2/dalmatian(glance))
- https://review.opendev.org/923253 (2024.2/dalmatian(glance))
- https://review.opendev.org/923254 (2024.2/dalmatian(glance))
- https://review.opendev.org/923255 (2024.2/dalmatian(nova))
- https://review.opendev.org/923256 (2024.2/dalmatian(nova))
- https://review.opendev.org/923257 (2024.2/dalmatian(nova))
- https://review.opendev.org/923258 (2024.2/dalmatian(nova))


Credits
~~~~~~~
- Martin Kaesberger (CVE-2024-32498)


References
~~~~~~~~~~
- https://launchpad.net/bugs/2059809
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32498


Notes
~~~~~
- Due to the scope of the problem and complexity of the resulting
  fixes, regressions and additional bypasses were reported in the
  original bug by downstream stakeholders during the coordinated
  disclosure period. As a result, our initially chosen publication
  date was rescheduled, which put the advisory four days past our
  promised ninety day maximum embargo length. Additional revised
  patches and regression fixes were supplied to stakeholders as soon
  as possible, but we understand the unfortunate timing of these
  last-minute changes resulted in a lot of additional work for
  everyone involved.

-- 
Jeremy Stanley
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.