** Changed in: nova/havana
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1251590
Title:
[OSSA 2014-003] Live migration can leak root disk into ephemeral
storage (CVE-2013-7130)
Status in OpenStack Compute (Nova):
Fix Committed
Status in OpenStack Compute (nova) grizzly series:
Fix Committed
Status in OpenStack Compute (nova) havana series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
During pre-live-migration required disks are created along with their
backing files (if they don't already exist). However, the ephemeral
backing file is created from a glance downloaded root disk.
# If the required ephemeral backing file is present then there's no
issue.
# If the required ephemeral backing file is not already present, then
the root disk is downloaded and saved as the ephemeral backing file.
This will result in the following situations:
## The disk.local transferred during live-migration will be rebased on the
ephemeral backing file so regardless of the content, the end result will be
identical to the source disk.local.
## However, if a new instance of the same flavor is spawned on this compute
node, then it will have an ephemeral storage that exposes a root disk.
Security concerns:
If the migrated VM was spawned off a snapshot, now it's possible for
any instances of the correct flavor to see the snapshot contents of
another user via the ephemeral storage.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1251590/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
