Information Disclosure in OpenStack Compute (Nova) by Red Hat and Ubuntu
CVE-2012-5625

Currently unrated

Key Information:

Vendor: Openstack
Status: Grizzly; Folsom
Vendor: CVE Published:; 26 December 2012

Summary

In OpenStack Compute (Nova) versions prior to 2012.2.2 and in the Grizzly release, a vulnerability exists when using libvirt with LVM-backed instances. The issue arises from the failure to adequately clear the content of physical volumes (PV) when reallocating them for new instances. This oversight enables attackers to access sensitive information by reading the memory of previously allocated logical volumes (LV). The potential for exploitation highlights the importance of ensuring that memory management practices are strictly adhered to in virtualized environments.

References

http://rhn.redhat.com/errata/RHSA-2013-0208.html

vendor-advisoryx_refsource_REDHAT

https://bugs.launchpad.net/nova/+bug/1070539

x_refsource_CONFIRM

http://www.ubuntu.com/usn/USN-1663-1

vendor-advisoryx_refsource_UBUNTU

Timeline

Vulnerability published
Dec 26, 2012
Vulnerability Reserved
Oct 24, 2012