Add OSSA-2020-006 (CVE-2020-17376)
Change-Id: I4bb95e74551dc02664074a006f462683967f50f3 Related-Bug: #1890501
This commit is contained in:
parent
1c9dc3d832
commit
2cdc6ae087
|
@ -0,0 +1,63 @@
|
||||||
|
date: 2020-08-25
|
||||||
|
|
||||||
|
id: OSSA-2020-006
|
||||||
|
|
||||||
|
title: Live migration fails to update persistent domain XML
|
||||||
|
|
||||||
|
description: >
|
||||||
|
Tadayoshi Hosoya (NEC) and Lee Yarwood (Red Hat) reported a
|
||||||
|
vulnerability in Nova live migration. By performing a soft reboot of
|
||||||
|
an instance which has previously undergone live migration, a user
|
||||||
|
may gain access to destination host devices that share the same
|
||||||
|
paths as host devices previously referenced by the virtual machine
|
||||||
|
on the source. This can include block devices that map to different
|
||||||
|
Cinder volumes on the destination than the source. The risk is
|
||||||
|
increased significantly in non-default configurations allowing
|
||||||
|
untrusted users to initiate live migrations, so administrators may
|
||||||
|
consider temporarily disabling this in policy if they cannot upgrade
|
||||||
|
immediately. This only impacts deployments where users are allowed
|
||||||
|
to perform soft reboots of server instances; it is recommended to
|
||||||
|
disable soft reboots in policy (only allowing hard reboots) until
|
||||||
|
the fix can be applied.
|
||||||
|
|
||||||
|
affected-products:
|
||||||
|
- product: Nova
|
||||||
|
version: '<19.3.1, >=20.0.0 <20.3.1, ==21.0.0'
|
||||||
|
|
||||||
|
vulnerabilities:
|
||||||
|
- cve-id: CVE-2020-17376
|
||||||
|
|
||||||
|
reporters:
|
||||||
|
- name: Tadayoshi Hosoya
|
||||||
|
affiliation: NEC
|
||||||
|
reported:
|
||||||
|
- CVE-2020-17376
|
||||||
|
- name: Lee Yarwood
|
||||||
|
affiliation: Red Hat
|
||||||
|
reported:
|
||||||
|
- CVE-2020-17376
|
||||||
|
|
||||||
|
issues:
|
||||||
|
links:
|
||||||
|
- https://launchpad.net/bugs/1890501
|
||||||
|
|
||||||
|
reviews:
|
||||||
|
victoria:
|
||||||
|
- https://review.opendev.org/747969
|
||||||
|
ussuri:
|
||||||
|
- https://review.opendev.org/747972
|
||||||
|
train:
|
||||||
|
- https://review.opendev.org/747973
|
||||||
|
stein:
|
||||||
|
- https://review.opendev.org/747974
|
||||||
|
rocky:
|
||||||
|
- https://review.opendev.org/747975
|
||||||
|
queens:
|
||||||
|
- https://review.opendev.org/747976
|
||||||
|
pike:
|
||||||
|
- https://review.opendev.org/747978
|
||||||
|
|
||||||
|
notes:
|
||||||
|
- The stable/rocky, stable/queens, and stable/pike branches are under
|
||||||
|
extended maintenance and will receive no new point releases, but patches
|
||||||
|
for them are provided as a courtesy.
|
Loading…
Reference in New Issue