CVE-2013-7130

The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root disk contents of other users via ephemeral storage.

CVSS v2.0 7.1 HIGH

7.1^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:M/Au:N/C:C/I:N/A:N

Exploitability : 8.6 / Impact : 6.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127732.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127735.html
http://osvdb.org/102416
http://rhn.redhat.com/errata/RHSA-2014-0231.html
http://secunia.com/advisories/56450	Vendor Advisory
http://www.openwall.com/lists/oss-security/2014/01/23/5
http://www.securityfocus.com/bid/65106
http://www.ubuntu.com/usn/USN-2247-1
https://bugs.launchpad.net/nova/+bug/1251590
https://exchange.xforce.ibmcloud.com/vulnerabilities/90652
https://review.openstack.org/#/c/68658/	Patch
https://review.openstack.org/#/c/68659/
https://review.openstack.org/#/c/68660/	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openstack:compute:2012.2:::::::*
	cpe:2.3:a:openstack:compute:2013.1:::::::*
	cpe:2.3:a:openstack:compute:2013.1.1:::::::*
	cpe:2.3:a:openstack:compute:2013.1.2:::::::*
	cpe:2.3:a:openstack:compute:2013.1.3:::::::*
	cpe:2.3:a:openstack:grizzly:-:::::::*
	cpe:2.3:a:openstack:havana:-:::::::*
	cpe:2.3:a:openstack:icehouse:-:::::::*

History

No history.

Information

Published : 2014-02-06 17:00

Updated : 2023-12-10 11:31

NVD link : CVE-2013-7130

Mitre link : CVE-2013-7130

CVE.ORG link : CVE-2013-7130

JSON object : View

Products Affected

openstack

compute
grizzly
icehouse
havana

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2013-7130", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.1, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 6.9, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-02-06T17:00:06.977", "references": [{"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127732.html", "source": "cve@mitre.org"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127735.html", "source": "cve@mitre.org"}, {"url": "http://osvdb.org/102416", "source": "cve@mitre.org"}, {"url": "http://rhn.redhat.com/errata/RHSA-2014-0231.html", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/56450", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2014/01/23/5", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/65106", "source": "cve@mitre.org"}, {"url": "http://www.ubuntu.com/usn/USN-2247-1", "source": "cve@mitre.org"}, {"url": "https://bugs.launchpad.net/nova/+bug/1251590", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90652", "source": "cve@mitre.org"}, {"url": "https://review.openstack.org/#/c/68658/", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://review.openstack.org/#/c/68659/", "source": "cve@mitre.org"}, {"url": "https://review.openstack.org/#/c/68660/", "tags": ["Patch"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root disk contents of other users via ephemeral storage."}, {"lang": "es", "value": "El m\u00e9todo i_create_images_and_backing (tambi\u00e9n conocido como create_images_and_backing) en el driver libvirt en OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, cuando hace uso de un bloque de migraci\u00f3n KVM en vivo, no crea debidamente todos los archivos esperados, lo que permite a atacantes obtener contenido de una instant\u00e1nea del disco ra\u00edz de otros usuarios a trav\u00e9s del almacenamiento ef\u00edmero."}], "lastModified": "2017-08-29T01:34:04.293", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openstack:compute:2012.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E9D8029-F7DD-435D-B4F4-D3DABDB7333B"}, {"criteria": "cpe:2.3:a:openstack:compute:2013.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DE1DE9A-0D08-448B-AF80-7ACA236F2A83"}, {"criteria": "cpe:2.3:a:openstack:compute:2013.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A1A5AAEB-0A8F-4ECF-B184-6A78B882817A"}, {"criteria": "cpe:2.3:a:openstack:compute:2013.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8596FDB-87DD-4D06-9923-75EFE7E3F9A0"}, {"criteria": "cpe:2.3:a:openstack:compute:2013.1.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA06A9A5-0924-4137-85AF-DB9C7C246DAC"}, {"criteria": "cpe:2.3:a:openstack:grizzly:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A83ED744-9E3D-4510-B3E6-6DDE1090F0B7"}, {"criteria": "cpe:2.3:a:openstack:havana:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "77522028-683C-4708-AF46-50B49A0A2D15"}, {"criteria": "cpe:2.3:a:openstack:icehouse:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FC112BBD-F3D2-4192-B11A-B99D54B08D99"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}