=====================================================
OSSA-2018-001: Raw underlying encrypted volume access
=====================================================
:Date: April 20, 2018
:CVE: CVE-2017-18191
Affects
~~~~~~~
- Nova: >=15.0.0 <=15.1.0, >=16.0.0 <=16.1.1
Description
~~~~~~~~~~~
Lee Yarwood (Red Hat) reported a vulnerability in Nova encrypted
volumes handling. By detaching and reattaching an encrypted volume an
attacker may access the underlying raw volume and corrupt the LUKS
header resuling in a denial of service attack on the compute host. All
Nova setups supporting encrypted volumes are affected.
Patches
~~~~~~~
- https://review.openstack.org/561604 (Ocata)
- https://review.openstack.org/543569 (Pike)
- https://review.openstack.org/460243 (Queens)
Credits
~~~~~~~
- Lee Yarwood from Red Hat (CVE-2017-18191)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1739593
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18191
Notes
~~~~~
- Pike and Ocata patches disable encrypted volume swapping, this feature is now
only supported in Nova version >= 17.0.0.
--
Tristan Cacqueray
OpenStack Vulnerability Management Team
OSSA-2018-001: Raw underlying encrypted volume access
=====================================================
:Date: April 20, 2018
:CVE: CVE-2017-18191
Affects
~~~~~~~
- Nova: >=15.0.0 <=15.1.0, >=16.0.0 <=16.1.1
Description
~~~~~~~~~~~
Lee Yarwood (Red Hat) reported a vulnerability in Nova encrypted
volumes handling. By detaching and reattaching an encrypted volume an
attacker may access the underlying raw volume and corrupt the LUKS
header resuling in a denial of service attack on the compute host. All
Nova setups supporting encrypted volumes are affected.
Patches
~~~~~~~
- https://review.openstack.org/561604 (Ocata)
- https://review.openstack.org/543569 (Pike)
- https://review.openstack.org/460243 (Queens)
Credits
~~~~~~~
- Lee Yarwood from Red Hat (CVE-2017-18191)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1739593
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18191
Notes
~~~~~
- Pike and Ocata patches disable encrypted volume swapping, this feature is now
only supported in Nova version >= 17.0.0.
--
Tristan Cacqueray
OpenStack Vulnerability Management Team