Add OSSA-2020-006 (CVE-2020-17376)
Change-Id: I4bb95e74551dc02664074a006f462683967f50f3 Related-Bug: #1890501
This commit is contained in:
Jeremy Stanley
parent
1c9dc3d832
commit
2cdc6ae087
|
|
@ -0,0 +1,63 @@
|
|||
date: 2020-08-25
|
||||
|
||||
id: OSSA-2020-006
|
||||
|
||||
title: Live migration fails to update persistent domain XML
|
||||
|
||||
description: >
|
||||
Tadayoshi Hosoya (NEC) and Lee Yarwood (Red Hat) reported a
|
||||
vulnerability in Nova live migration. By performing a soft reboot of
|
||||
an instance which has previously undergone live migration, a user
|
||||
may gain access to destination host devices that share the same
|
||||
paths as host devices previously referenced by the virtual machine
|
||||
on the source. This can include block devices that map to different
|
||||
Cinder volumes on the destination than the source. The risk is
|
||||
increased significantly in non-default configurations allowing
|
||||
untrusted users to initiate live migrations, so administrators may
|
||||
consider temporarily disabling this in policy if they cannot upgrade
|
||||
immediately. This only impacts deployments where users are allowed
|
||||
to perform soft reboots of server instances; it is recommended to
|
||||
disable soft reboots in policy (only allowing hard reboots) until
|
||||
the fix can be applied.
|
||||
|
||||
affected-products:
|
||||
- product: Nova
|
||||
version: '<19.3.1, >=20.0.0 <20.3.1, ==21.0.0'
|
||||
|
||||
vulnerabilities:
|
||||
- cve-id: CVE-2020-17376
|
||||
|
||||
reporters:
|
||||
- name: Tadayoshi Hosoya
|
||||
affiliation: NEC
|
||||
reported:
|
||||
- CVE-2020-17376
|
||||
- name: Lee Yarwood
|
||||
affiliation: Red Hat
|
||||
reported:
|
||||
- CVE-2020-17376
|
||||
|
||||
issues:
|
||||
links:
|
||||
- https://launchpad.net/bugs/1890501
|
||||
|
||||
reviews:
|
||||
victoria:
|
||||
- https://review.opendev.org/747969
|
||||
ussuri:
|
||||
- https://review.opendev.org/747972
|
||||
train:
|
||||
- https://review.opendev.org/747973
|
||||
stein:
|
||||
- https://review.opendev.org/747974
|
||||
rocky:
|
||||
- https://review.opendev.org/747975
|
||||
queens:
|
||||
- https://review.opendev.org/747976
|
||||
pike:
|
||||
- https://review.opendev.org/747978
|
||||
|
||||
notes:
|
||||
- The stable/rocky, stable/queens, and stable/pike branches are under
|
||||
extended maintenance and will receive no new point releases, but patches
|
||||
for them are provided as a courtesy.
|
||||
Loading…
Reference in New Issue