In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced files contents from the server, resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. NOTE: this issue exists because of an incomplete fix for CVE-2022-47951 and CVE-2024-32498.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Nova | Openstack | * | 27.4.1 (excluding) |
| Nova | Openstack | 28.0.0 (including) | 28.2.1 (excluding) |
| Nova | Openstack | 29.0.0 (including) | 29.1.1 (excluding) |
| Red Hat OpenStack Platform 16.1 | RedHat | openstack-nova-1:20.4.1-1.20221005193235.el8ost | * |
| Red Hat OpenStack Platform 16.2 | RedHat | openstack-nova-1:20.6.2-2.20230814165229.el8ost | * |
| Red Hat OpenStack Platform 17.1 for RHEL 8 | RedHat | openstack-nova-1:23.2.3-17.1.20231018123755.el8ost | * |
| Red Hat OpenStack Platform 17.1 for RHEL 9 | RedHat | openstack-nova-1:23.2.3-17.1.20231018130829.el9ost | * |
| Nova | Ubuntu | devel | * |
| Nova | Ubuntu | esm-infra/focal | * |
| Nova | Ubuntu | focal | * |
| Nova | Ubuntu | jammy | * |
| Nova | Ubuntu | noble | * |
| Nova | Ubuntu | oracular | * |
| Nova | Ubuntu | plucky | * |
| Nova | Ubuntu | questing | * |
References
- https://launchpad.net/bugs/2071734
- https://security.openstack.org
- https://security.openstack.org/ossa/OSSA-2024-002.html
- https://www.openwall.com/lists/oss-security/2024/07/23/2
- https://launchpad.net/bugs/2071734
- https://lists.debian.org/debian-lts-announce/2024/09/msg00017.html
- https://security.openstack.org
- https://security.openstack.org/ossa/OSSA-2024-002.html
- https://www.openwall.com/lists/oss-security/2024/07/23/2