CVE-2012-5625 : Information leak in libvirt LVM-backed instances

This is something of a repeat. As openstack has gotten caught before not cleaning out reusable memory locations.

As has Amazon. But, it’s always annoying to see a vulnerability that has previously bit us in the ass come back to do so again.

OpenStack Security Advisory: 2012-020

CVE: CVE-2012-5625
Date: December 11, 2012
Title: Information leak in libvirt LVM-backed instances
Reporter: Eric Windisch (Cloudscaling)
Products: Nova
Affects: Folsom, Grizzly

Description:

Eric Windisch from Cloudscaling reported a vulnerability in libvirt
LVM-backed instances. The physical volume content was not wiped out
before being reallocated and passed to an instance, which may result in
the disclosure of information from previously-allocated logical volumes.
Only setups using libvirt and LVM-backed instances
(libvirt_images_type=lvm) are affected.

Grizzly (development branch) fix:

Folsom fix (included in upcoming Nova 2012.2.2 stable update):

References:

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>