OpenStack Nova libvirt LVM instance local information leakage Vulnerability

Release date:
Updated on:

Affected Systems:
Openstack Nova
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56904
CVE (CAN) ID: CVE-2012-5625

OpenStack Compute (Nova) is a cloud computing constructor written in Python and is part of the laaS system.

OpenStack Nova has a memory corruption vulnerability in the settings of libvirt and LVM instances. The physical volume content is not erased before being reassigned and transferred to the instance, local attackers can exploit this vulnerability to cause leakage of previously allocated logical volumes.

<* Source: Eric Windisch

Link: https://bugzilla.redhat.com/show_bug.cgi? Id = 884293
Http://lists.openstack.org/pipermail/openstack-announce/2012-December/000059.html
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Openstack
---------
Openstack has released a Security Bulletin (000059) and corresponding patches for this purpose:

000059: [OSSA 2012-020] Information leak in libvirt LVM-backed instances (CVE-2012-5625)

Link: http://lists.openstack.org/pipermail/openstack-announce/2012-December/000059.html

Patch download:
Grizzly (development branch) fix:
Http://github.com/openstack/nova/commit/9d2ea970422591f8cdc394001be9a2deca499a5f

Folsom fix (sorted ded in upcoming Nova 2012.2.2 stable update ):
Http://github.com/openstack/nova/commit/a99a802e008eed18e39fc1d98170edc495cbd354