CVE-2016-2140
Published: 12 April 2016
The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) and 12.0.x before 12.0.3 (liberty), when using raw storage and use_cow_images is set to false, allows remote authenticated users to read arbitrary files via a crafted qcow2 header in an ephemeral or root disk.
Priority
Low
CVSS 3 base score: 5.3
Status
| Package | Release | Status |
|---|---|---|
|
nova Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(2:12.0.0-0ubuntu2)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was released [1:2014.1.5-0ubuntu1.7])
|
|
|
Patches: Upstream: https://review.openstack.org/289960 (Kilo) Upstream: https://review.openstack.org/289958 (Liberty) Upstream: https://review.openstack.org/289957 (Mitaka) |
||
Notes
| Author | Note |
|---|---|
| sbeattie | from debian: Affects: <=2015.1.3, >=12.0.0 <=12.0.2 |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2140
- http://seclists.org/oss-sec/2016/q1/564
- https://usn.ubuntu.com/usn/usn-3449-1
- NVD
- Launchpad
- Debian