Package: python3-cinder Version: 2:21.0.0-2 Severity: grave Tags: patch This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date.
Title: Arbitrary file access through custom VMDK flat descriptor Reporter: Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou (OVH) Products: Cinder, Glance, Nova Affects: Cinder <19.1.2, >=20.0.0 <20.0.2, ==21.0.0; Glance <23.0.1, >=24.0.0 <24.1.1, ==25.0.0; Nova <24.1.2, >=25.0.0 <25.0.2, ==26.0.0 Description: Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou (OVH) reported a vulnerability in VMDK image processing for Cinder, Glance and Nova. By supplying a specially created VMDK flat image which references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server resulting in unauthorized access to potentially sensitive data. All Cinder deployments are affected; only Glance deployments with image conversion enabled are affected; all Nova deployments are affected. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to their corresponding branches on the public disclosure date. Note that stable/wallaby and older branches are under extended maintenance and will receive no new point releases, but patches for some of them are provided as a courtesy. CVE: CVE-2022-47951 Proposed public disclosure date/time: 2023-01-24, 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date. Original private report: https://launchpad.net/bugs/1996188 For access to read and comment on this report, please reply to me with your Launchpad username and I will subscribe you. -- Jeremy Stanley OpenStack Vulnerability Management Team