Your submission was sent successfully! Close

USN-2405-1: OpenStack Cinder vulnerabilities

11 November 2014

OpenStack Cinder could be made to expose sensitive information over the network.



  • cinder - OpenStack storage service


Duncan Thomas discovered that OpenStack Cinder did not properly track the
file format when using the GlusterFS of Smbfs drivers. A remote
authenticated user could exploit this to potentially obtain file contents
from the compute host. (CVE-2014-3641)

Amrith Kumar discovered that OpenStack Cinder did not properly sanitize log
message contents. Under certain circumstances, a local attacker with read
access to Cinder log files could obtain access to sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04

In general, a standard system update will make all the necessary changes.

Related notices

  • USN-2407-1: nova-api-ec2, nova-volume, nova-ajax-console-proxy, python-nova, nova-scheduler, nova-api-os-compute, nova-doc, nova-network, nova-api, nova-baremetal, nova-compute-qemu, nova-console, nova-spiceproxy, nova, nova-common, nova-xvpvncproxy, nova-compute-lxc, nova-conductor, nova-compute-xen, nova-compute, nova-consoleauth, nova-cert, nova-api-os-volume, nova-cells, nova-compute-kvm, nova-compute-vmware, nova-novncproxy, nova-compute-libvirt, nova-api-metadata, nova-objectstore