CVE-2016-2140

Impact:
Important
Public Date:
2016-03-08
CWE:
CWE-200
Bugzilla:
1313454: CVE-2016-2140 openstack-nova: Host data leak through resize/migration
An information-exposure flaw was found in the OpenStack Compute (nova) resize and migrate functionality. An authenticated user could write a malicious qcow header to an ephemeral or root disk, referencing a block device as a backing file. With a subsequent resize or migration, file system content on the specified device would be leaked to the user. Only setups using libvirt with raw storage and "use_cow_images = False" were affected.

Find out more about CVE-2016-2140 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 7.5
Base Metrics AV:N/AC:M/Au:S/C:C/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication Single
Confidentiality Impact Complete
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 (openstack-nova) RHSA-2016:0366 2016-03-08
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 (openstack-nova) RHSA-2016:0363 2016-03-08
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 (openstack-nova) RHSA-2016:0365 2016-03-08
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 (openstack-nova) RHSA-2016:0364 2016-03-08

Affected Packages State

Platform Package State
Red Hat OpenStack Platform 8.0 (Liberty) openstack-nova Not affected

Acknowledgements

This issue was discovered by Matthew Booth (Red Hat).

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.