FKIE_CVE-2013-7130

Vulnerability from fkie_nvd - Published: 2014-02-06 17:00 - Updated: 2025-04-11 00:51
Severity ?
Summary
The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root disk contents of other users via ephemeral storage.
References
cve@mitre.orghttp://lists.fedoraproject.org/pipermail/package-announce/2014-February/127732.html
cve@mitre.orghttp://lists.fedoraproject.org/pipermail/package-announce/2014-February/127735.html
cve@mitre.orghttp://osvdb.org/102416
cve@mitre.orghttp://rhn.redhat.com/errata/RHSA-2014-0231.html
cve@mitre.orghttp://secunia.com/advisories/56450Vendor Advisory
cve@mitre.orghttp://www.openwall.com/lists/oss-security/2014/01/23/5
cve@mitre.orghttp://www.securityfocus.com/bid/65106
cve@mitre.orghttp://www.ubuntu.com/usn/USN-2247-1
cve@mitre.orghttps://bugs.launchpad.net/nova/+bug/1251590
cve@mitre.orghttps://exchange.xforce.ibmcloud.com/vulnerabilities/90652
cve@mitre.orghttps://review.openstack.org/#/c/68658/Patch
cve@mitre.orghttps://review.openstack.org/#/c/68659/
cve@mitre.orghttps://review.openstack.org/#/c/68660/Patch
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127732.html
af854a3a-2127-422b-91ae-364da2661108http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127735.html
af854a3a-2127-422b-91ae-364da2661108http://osvdb.org/102416
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2014-0231.html
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/56450Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2014/01/23/5
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/65106
af854a3a-2127-422b-91ae-364da2661108http://www.ubuntu.com/usn/USN-2247-1
af854a3a-2127-422b-91ae-364da2661108https://bugs.launchpad.net/nova/+bug/1251590
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/90652
af854a3a-2127-422b-91ae-364da2661108https://review.openstack.org/#/c/68658/Patch
af854a3a-2127-422b-91ae-364da2661108https://review.openstack.org/#/c/68659/
af854a3a-2127-422b-91ae-364da2661108https://review.openstack.org/#/c/68660/Patch
Impacted products
Vendor Product Version
openstack compute 2012.2
openstack compute 2013.1
openstack compute 2013.1.1
openstack compute 2013.1.2
openstack compute 2013.1.3
openstack grizzly -
openstack havana -
openstack icehouse -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openstack:compute:2012.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0E9D8029-F7DD-435D-B4F4-D3DABDB7333B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openstack:compute:2013.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6DE1DE9A-0D08-448B-AF80-7ACA236F2A83",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openstack:compute:2013.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A1A5AAEB-0A8F-4ECF-B184-6A78B882817A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openstack:compute:2013.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E8596FDB-87DD-4D06-9923-75EFE7E3F9A0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openstack:compute:2013.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA06A9A5-0924-4137-85AF-DB9C7C246DAC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openstack:grizzly:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A83ED744-9E3D-4510-B3E6-6DDE1090F0B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openstack:havana:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "77522028-683C-4708-AF46-50B49A0A2D15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openstack:icehouse:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "FC112BBD-F3D2-4192-B11A-B99D54B08D99",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root disk contents of other users via ephemeral storage."
    },
    {
      "lang": "es",
      "value": "El m\u00e9todo i_create_images_and_backing (tambi\u00e9n conocido como create_images_and_backing) en el driver libvirt en OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, cuando hace uso de un bloque de migraci\u00f3n KVM en vivo, no crea debidamente todos los archivos esperados, lo que permite a atacantes obtener contenido de una instant\u00e1nea del disco ra\u00edz de otros usuarios a trav\u00e9s del almacenamiento ef\u00edmero."
    }
  ],
  "id": "CVE-2013-7130",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:C/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-02-06T17:00:06.977",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127732.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127735.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://osvdb.org/102416"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0231.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/56450"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.openwall.com/lists/oss-security/2014/01/23/5"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/65106"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.ubuntu.com/usn/USN-2247-1"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://bugs.launchpad.net/nova/+bug/1251590"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90652"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://review.openstack.org/#/c/68658/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://review.openstack.org/#/c/68659/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://review.openstack.org/#/c/68660/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127732.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127735.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://osvdb.org/102416"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0231.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/56450"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2014/01/23/5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/65106"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-2247-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugs.launchpad.net/nova/+bug/1251590"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90652"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://review.openstack.org/#/c/68658/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://review.openstack.org/#/c/68659/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://review.openstack.org/#/c/68660/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.