Fix for CVE-2023-2088 on OSP13
Issue
An unauthorized access to a volume could occur when an iSCSI using shared targets or FC connection from a host is severed due to a volume being unmapped on the storage system and the device is later reused for another volume on the same host.
This data leak can be triggered by two different situations as reported in CVE-2023-2088
Accidental case
If there is a problem with network connectivity during a normal detach operation, OpenStack may fail to clean the connection up properly. Instead of force-detaching the compute node device, Nova ignores the error, since the instance has already been deleted. Due to this incomplete operation OpenStack may end up selecting the wrong multipath device when connecting another volume to an instance.
Intentional case
A regular user can create an instance with a volume, and then delete the volume attachment directly in Cinder, which neglects to notify Nova. The compute node SCSI plumbing (over iSCSI/FC) will continue trying to connect to the original host/port/LUN, not knowing the attachment has been deleted. If a subsequent volume attachment re-uses the host/port/LUN for a different instance and volume, the original instance will gain access to it once the SCSI plumbing reconnects.
Environment
OpenStack deployments using iSCSI or FC transport protocols for the volumes are affected by this issue, other protocols such as RBD/Ceph, NFS, and NVMe-oF are not affected.
Not all storage systems using iSCSI and FC will be affected, as it depends on the Cinder driver and Storage array specific behavior. For example, it doesn't affect iSCSI Cinder drivers that use a per-volume target instead of a per-host target (what we call shared-target), and there are also storage arrays that send a Power-on or device reset Unit Attention event that triggers actions on the Linux kernel side that prevent the issue from happening (this signal has been seen in a HPE 3PAR FC system).
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.