OSSA-2023-002: Arbitrary file access through custom VMDK flat descriptor

Date:

January 24, 2023

CVE:

CVE-2022-47951

Affects

• Cinder, glance, nova: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0; Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0; Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0

Description

Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou (OVH) reported a vulnerability in VMDK image processing for Cinder, Glance and Nova. By supplying a specially created VMDK flat image which references a specific backing file path, an authenticated user may convince systems to return a copy of that file’s contents from the server resulting in unauthorized access to potentially sensitive data. All Cinder deployments are affected; only Glance deployments with image conversion enabled are affected; all Nova deployments are affected.

Patches

• https://review.opendev.org/871615 (2023.1/antelope(cinder))

• https://review.opendev.org/871613 (2023.1/antelope(glance))

• https://review.opendev.org/871612 (2023.1/antelope(nova))

• https://review.opendev.org/871631 (Train(cinder))

• https://review.opendev.org/871630 (Train(glance))

• https://review.opendev.org/871629 (Ussuri(cinder))

• https://review.opendev.org/871626 (Ussuri(glance))

• https://review.opendev.org/871628 (Victoria(cinder))

• https://review.opendev.org/871623 (Victoria(glance))

• https://review.opendev.org/871627 (Wallaby(cinder))

• https://review.opendev.org/871621 (Wallaby(glance))

• https://review.opendev.org/871625 (Xena(cinder))

• https://review.opendev.org/871619 (Xena(glance))

• https://review.opendev.org/871622 (Xena(nova))

• https://review.opendev.org/871620 (Yoga(cinder))

• https://review.opendev.org/871617 (Yoga(glance))

• https://review.opendev.org/871624 (Yoga(nova))

• https://review.opendev.org/871618 (Zed(cinder))

• https://review.opendev.org/871614 (Zed(glance))

• https://review.opendev.org/871616 (Zed(nova))

Credits

• Guillaume Espanel from OVH (CVE-2022-47951)

• Pierre Libeau from OVH (CVE-2022-47951)

• Arnaud Morin from OVH (CVE-2022-47951)

• Damien Rannou from OVH (CVE-2022-47951)

References

• https://launchpad.net/bugs/1996188

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47951

Notes

• The stable/wallaby, stable/victoria, stable/ussuri, and stable/train branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy where possible.