====================================================================== CERT-Renater Note d'Information No. 2024/VULN312 _____________________________________________________________________ DATE : 03/07/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Cinder versions <22.1.3, >=23.0.0 <23.1.1, ==24.0.0; Glance versions <26.0.1, ==27.0.0, >=28.0.0 <28.0.2; Nova versions <27.3.1, >=28.0.0 <28.1.1, >=29.0.0 <29.0.3. ===================================================================== https://security.openstack.org/ossa/OSSA-2024-001.html _____________________________________________________________________ OSSA-2024-001: Arbitrary file access through custom QCOW2 external data Date: July 02, 2024 CVE: CVE-2024-32498 Affects Cinder: <22.1.3, >=23.0.0 <23.1.1, ==24.0.0 Glance: <26.0.1, ==27.0.0, >=28.0.0 <28.0.2 Nova: <27.3.1, >=28.0.0 <28.1.1, >=29.0.0 <29.0.3 Description Martin Kaesberger reported a vulnerability in QCOW2 image processing for Cinder, Glance and Nova. By supplying a specially created QCOW2 image which references a specific data file path, an authenticated user may convince systems to return a copy of that file’s contents from the server resulting in unauthorized access to potentially sensitive data. All Cinder deployments are affected; only Glance deployments with image conversion enabled are affected; all Nova deployments are affected. Patches https://review.opendev.org/923247 (2023.1/antelope(cinder)) https://review.opendev.org/923277 (2023.1/antelope(glance)) https://review.opendev.org/923278 (2023.1/antelope(glance)) https://review.opendev.org/923279 (2023.1/antelope(glance)) https://review.opendev.org/923280 (2023.1/antelope(glance)) https://review.opendev.org/923281 (2023.1/antelope(glance)) https://review.opendev.org/923282 (2023.1/antelope(glance)) https://review.opendev.org/923283 (2023.1/antelope(glance)) https://review.opendev.org/923288 (2023.1/antelope(nova)) https://review.opendev.org/923289 (2023.1/antelope(nova)) https://review.opendev.org/923290 (2023.1/antelope(nova)) https://review.opendev.org/923281 (2023.1/antelope(nova)) https://review.opendev.org/923246 (2023.2/bobcat(cinder)) https://review.opendev.org/923266 (2023.2/bobcat(glance)) https://review.opendev.org/923267 (2023.2/bobcat(glance)) https://review.opendev.org/923268 (2023.2/bobcat(glance)) https://review.opendev.org/923269 (2023.2/bobcat(glance)) https://review.opendev.org/923270 (2023.2/bobcat(glance)) https://review.opendev.org/923271 (2023.2/bobcat(glance)) https://review.opendev.org/923272 (2023.2/bobcat(glance)) https://review.opendev.org/923284 (2023.2/bobcat(nova)) https://review.opendev.org/923285 (2023.2/bobcat(nova)) https://review.opendev.org/923286 (2023.2/bobcat(nova)) https://review.opendev.org/923287 (2023.2/bobcat(nova)) https://review.opendev.org/923245 (2024.1/caracal(cinder)) https://review.opendev.org/923259 (2024.1/caracal(glance)) https://review.opendev.org/923260 (2024.1/caracal(glance)) https://review.opendev.org/923261 (2024.1/caracal(glance)) https://review.opendev.org/923262 (2024.1/caracal(glance)) https://review.opendev.org/923263 (2024.1/caracal(glance)) https://review.opendev.org/923264 (2024.1/caracal(glance)) https://review.opendev.org/923265 (2024.1/caracal(glance)) https://review.opendev.org/923273 (2024.1/caracal(nova)) https://review.opendev.org/923274 (2024.1/caracal(nova)) https://review.opendev.org/923275 (2024.1/caracal(nova)) https://review.opendev.org/923276 (2024.1/caracal(nova)) https://review.opendev.org/923244 (2024.2/dalmatian(cinder)) https://review.opendev.org/923248 (2024.2/dalmatian(glance)) https://review.opendev.org/923249 (2024.2/dalmatian(glance)) https://review.opendev.org/923250 (2024.2/dalmatian(glance)) https://review.opendev.org/923251 (2024.2/dalmatian(glance)) https://review.opendev.org/923252 (2024.2/dalmatian(glance)) https://review.opendev.org/923253 (2024.2/dalmatian(glance)) https://review.opendev.org/923254 (2024.2/dalmatian(glance)) https://review.opendev.org/923255 (2024.2/dalmatian(nova)) https://review.opendev.org/923256 (2024.2/dalmatian(nova)) https://review.opendev.org/923257 (2024.2/dalmatian(nova)) https://review.opendev.org/923258 (2024.2/dalmatian(nova)) Credits Martin Kaesberger from none (CVE-2024-32498) References https://launchpad.net/bugs/2059809 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32498 Notes Due to the scope of the problem and complexity of the resulting fixes, regressions and additional bypasses were reported in the original bug by downstream stakeholders during the coordinated disclosure period. As a result, our initially chosen publication date was rescheduled, which put the advisory four days past our promised ninety day maximum embargo length. Additional revised patches and regression fixes were supplied to stakeholders as soon as possible, but we understand the unfortunate timing of these last- minute changes resulted in a lot of additional work for everyone involved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================