OSSA-2024-001：通过自定义 QCOW2 外部数据进行任意文件访问

日期:

2024 年 7 月 02 日

CVE:

CVE-2024-32498

影响

• Cinder：<22.1.3，>=23.0.0 <23.1.1，==24.0.0

• Glance：<26.0.1，==27.0.0，>=28.0.0 <28.0.2

• Nova：<27.3.1，>=28.0.0 <28.1.1，>=29.0.0 <29.0.3

描述

Martin Kaesberger 报告了 Cinder、Glance 和 Nova 中 QCOW2 镜像处理中的一个漏洞。通过提供引用特定数据文件路径的特制 QCOW2 镜像，经过身份验证的用户可能会说服系统返回该文件内容的副本，从而导致对潜在敏感数据的未经授权访问。所有 Cinder 部署都受到影响；只有启用了镜像转换的 Glance 部署受到影响；所有 Nova 部署都受到影响。

补丁

• https://review.opendev.org/923247 (2023.1/antelope(cinder))

• https://review.opendev.org/923277 (2023.1/antelope(glance))

• https://review.opendev.org/923278 (2023.1/antelope(glance))

• https://review.opendev.org/923279 (2023.1/antelope(glance))

• https://review.opendev.org/923280 (2023.1/antelope(glance))

• https://review.opendev.org/923281 (2023.1/antelope(glance))

• https://review.opendev.org/923282 (2023.1/antelope(glance))

• https://review.opendev.org/923283 (2023.1/antelope(glance))

• https://review.opendev.org/923288 (2023.1/antelope(nova))

• https://review.opendev.org/923289 (2023.1/antelope(nova))

• https://review.opendev.org/923290 (2023.1/antelope(nova))

• https://review.opendev.org/923281 (2023.1/antelope(nova))

• https://review.opendev.org/923246 (2023.2/bobcat(cinder))

• https://review.opendev.org/923266 (2023.2/bobcat(glance))

• https://review.opendev.org/923267 (2023.2/bobcat(glance))

• https://review.opendev.org/923268 (2023.2/bobcat(glance))

• https://review.opendev.org/923269 (2023.2/bobcat(glance))

• https://review.opendev.org/923270 (2023.2/bobcat(glance))

• https://review.opendev.org/923271 (2023.2/bobcat(glance))

• https://review.opendev.org/923272 (2023.2/bobcat(glance))

• https://review.opendev.org/923284 (2023.2/bobcat(nova))

• https://review.opendev.org/923285 (2023.2/bobcat(nova))

• https://review.opendev.org/923286 (2023.2/bobcat(nova))

• https://review.opendev.org/923287 (2023.2/bobcat(nova))

• https://review.opendev.org/923245 (2024.1/caracal(cinder))

• https://review.opendev.org/923259 (2024.1/caracal(glance))

• https://review.opendev.org/923260 (2024.1/caracal(glance))

• https://review.opendev.org/923261 (2024.1/caracal(glance))

• https://review.opendev.org/923262 (2024.1/caracal(glance))

• https://review.opendev.org/923263 (2024.1/caracal(glance))

• https://review.opendev.org/923264 (2024.1/caracal(glance))

• https://review.opendev.org/923265 (2024.1/caracal(glance))

• https://review.opendev.org/923273 (2024.1/caracal(nova))

• https://review.opendev.org/923274 (2024.1/caracal(nova))

• https://review.opendev.org/923275 (2024.1/caracal(nova))

• https://review.opendev.org/923276 (2024.1/caracal(nova))

• https://review.opendev.org/923244 (2024.2/dalmatian(cinder))

• https://review.opendev.org/923248 (2024.2/dalmatian(glance))

• https://review.opendev.org/923249 (2024.2/dalmatian(glance))

• https://review.opendev.org/923250 (2024.2/dalmatian(glance))

• https://review.opendev.org/923251 (2024.2/dalmatian(glance))

• https://review.opendev.org/923252 (2024.2/dalmatian(glance))

• https://review.opendev.org/923253 (2024.2/dalmatian(glance))

• https://review.opendev.org/923254 (2024.2/dalmatian(glance))

• https://review.opendev.org/923255 (2024.2/dalmatian(nova))

• https://review.opendev.org/923256 (2024.2/dalmatian(nova))

• https://review.opendev.org/923257 (2024.2/dalmatian(nova))

• https://review.opendev.org/923258 (2024.2/dalmatian(nova))

鸣谢

• Martin Kaesberger 来自 none (CVE-2024-32498)

参考

• https://launchpad.net/bugs/2059809

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32498

说明

• 由于问题的范围和由此产生的修复的复杂性，在协调披露期间，下游利益相关者报告了原始错误中的回归和额外的绕过。因此，我们最初选择的发布日期被重新安排，这使得该公告超过了我们承诺的九十天最长禁运期限。尽可能快地向利益相关者提供了额外的修订补丁和回归修复，但我们理解这些最后一刻的更改给每个人带来了很多额外的工作。