CVE-2016-2140

Published: 12 April 2016

The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) and 12.0.x before 12.0.3 (liberty), when using raw storage and use_cow_images is set to false, allows remote authenticated users to read arbitrary files via a crafted qcow2 header in an ephemeral or root disk.

Priority

Low

CVSS 3 base score: 5.3

Status

Package Release Status
nova
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(2:12.0.0-0ubuntu2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1:2014.1.5-0ubuntu1.7])
Patches:
Upstream: https://review.openstack.org/289960 (Kilo)
Upstream: https://review.openstack.org/289958 (Liberty)
Upstream: https://review.openstack.org/289957 (Mitaka)