CVE-2013-0326

Published: 05 December 2019

OpenStack nova base images permissions are world readable

Priority

Low

CVSS 3 base score: 5.5

Status

Package Release Status
nova
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored)

Notes

AuthorNote
seth-arnold
/var/lib/nova/instances/_base/ apparently stores images with DAC
permissions set to 0644. Deferred while waiting for upstream to address
the issue -- I suspect the fix is simple, but the consequences may not be.
jdstrand
Ignoring. VMs are confined by AppArmor and are not able to read
each other's files. Even if this were not the case, the files would be
readable by the the libvirt-qemu:kvm user, so changing the permissions to
0640 would not help greatly. Therefore the protection would only be against
other users on the system and a typical production Nova installation will
not have these types of users or extra services. Furthermore, changing the
permissions in a security update could be disruptive to production systems
on upgrade.
no upstream fix as of 2014-05-05

References

Bugs