Headline
Ubuntu Security Notice USN-6882-1
Ubuntu Security Notice 6882-1 - Martin Kaesberger discovered that Cinder incorrectly handled QCOW2 image processing. An authenticated user could use this issue to access arbitrary files on the server, possibly exposing sensitive information.
==========================================================================
Ubuntu Security Notice USN-6882-1
July 08, 2024
cinder vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Cinder would allow unintended access to files over the network.
Software Description:
- cinder: OpenStack storage service
Details:
Martin Kaesberger discovered that Cinder incorrectly handled QCOW2 image
processing. An authenticated user could use this issue to access arbitrary
files on the server, possibly exposing sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-cinder 2:24.0.0-0ubuntu1.2
Ubuntu 23.10
python3-cinder 2:23.0.0-0ubuntu1.4
Ubuntu 22.04 LTS
python3-cinder 2:20.3.1-0ubuntu1.4
Ubuntu 20.04 LTS
python3-cinder 2:16.4.2-0ubuntu2.8
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6882-1
CVE-2024-32498
Package Information:
https://launchpad.net/ubuntu/+source/cinder/2:24.0.0-0ubuntu1.2
https://launchpad.net/ubuntu/+source/cinder/2:23.0.0-0ubuntu1.4
https://launchpad.net/ubuntu/+source/cinder/2:20.3.1-0ubuntu1.4
https://launchpad.net/ubuntu/+source/cinder/2:16.4.2-0ubuntu2.8
Related news
Ubuntu Security Notice 6882-2 - USN-6882-1 fixed vulnerabilities in Cinder. The update caused a regression in certain environments due to incorrect privilege handling. This update fixes the problem. Martin Kaesberger discovered that Cinder incorrectly handled QCOW2 image processing. An authenticated user could use this issue to access arbitrary files on the server, possibly exposing sensitive information.
Debian Linux Security Advisory 5756-1 - Martin Kaesberger discovered a vulnerability which affects multiple images may result in the disclosure of arbitrary files.
Debian Linux Security Advisory 5755-1 - Martin Kaesberger discovered a vulnerability which affects multiple images may result in the disclosure of arbitrary files.
Debian Linux Security Advisory 5754-1 - Martin Kaesberger discovered a vulnerability which affects multiple images may result in the disclosure of arbitrary files.
Red Hat Security Advisory 2024-4425-03 - An update for openstack-cinder, openstack-glance, and openstack-nova is now available for Red Hat OpenStack Platform 16.1.
Ubuntu Security Notice 6884-1 - Martin Kaesberger discovered that Nova incorrectly handled QCOW2 image processing. An authenticated user could use this issue to access arbitrary files on the server, possibly exposing sensitive information.
Ubuntu Security Notice 6883-1 - Martin Kaesberger discovered that Glance incorrectly handled QCOW2 image processing. An authenticated user could use this issue to access arbitrary files on the server, possibly exposing sensitive information.
An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.
Red Hat Security Advisory 2024-4274-03 - An update for openstack-nova is now available for Red Hat OpenStack Platform 17.1.
Red Hat Security Advisory 2024-4273-03 - An update for openstack-cinder, openstack-glance, and openstack-nova is now available for Red Hat OpenStack Platform 16.2.
Red Hat Security Advisory 2024-4272-03 - An update for openstack-nova, openstack-glance, and openstack-cinder is now available for Red Hat OpenStack Platform 17.1.