date: 2014-01-23

id: OSSA-2014-003

title: 'Live migration can leak root disk into ephemeral storage'

description: 'Loganathan Parthipan from Hewlett Packard reported a vulnerability in
  the Nova libvirt driver. By spawning a server with the same flavor as another user''s
  migrated virtual machine, an authenticated user can potentially access that user''s
  snapshot content resulting in information leakage. Only setups using KVM live block
  migration are affected.'

reference: http://lists.openstack.org/pipermail/openstack-announce/2014-January/000188.html

affected-products:

  - product: nova
    version: All supported versions

vulnerabilities:

  - cve-id: CVE-2013-7130
    impact-assessment:
      source: 'Red Hat Product Security'
      rating: moderate
      assessment:
        type: CVSS2
        score: 3.5
        detail: AV:N/AC:M/Au:S/C:P/I:N/A:N
    classification:
      source: 'Red Hat Product Security'
      type: CWE
      detail: TODO

reporters:

  - name: 'Loganathan Parthipan'
    affiliation: HP
    reported:
      - CVE-2013-7130

issues:

  links:
    - https://launchpad.net/bugs/1251590

  type: launchpad

reviews:

  icehouse:
    - https://review.openstack.org/#/c/68658

  havana:
    - https://review.openstack.org/#/c/68659

  grizzly:
    - https://review.openstack.org/#/c/68660

  type: gerrit