Ubuntu Security Notice 2405-1 - Duncan Thomas discovered that OpenStack Cinder did not properly track the file format when using the GlusterFS of Smbfs drivers. A remote authenticated user could exploit this to potentially obtain file contents from the compute host. Amrith Kumar discovered that OpenStack Cinder did not properly sanitize log message contents. Under certain circumstances, a local attacker with read access to Cinder log files could obtain access to sensitive information. Various other issues were also addressed.
093befa060a0a74d20668cc4dd13401ce693514f81089d91ae807f5c8f629ff9
============================================================================
Ubuntu Security Notice USN-2405-1
November 11, 2014
cinder vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
OpenStack Cinder could be made to expose sensitive information over the
network.
Software Description:
- cinder: OpenStack storage service
Details:
Duncan Thomas discovered that OpenStack Cinder did not properly track the
file format when using the GlusterFS of Smbfs drivers. A remote
authenticated user could exploit this to potentially obtain file contents
from the compute host. (CVE-2014-3641)
Amrith Kumar discovered that OpenStack Cinder did not properly sanitize log
message contents. Under certain circumstances, a local attacker with read
access to Cinder log files could obtain access to sensitive information.
(CVE-2014-7230)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
python-cinder 1:2014.1.3-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2405-1
CVE-2014-3641, CVE-2014-7230
Package Information:
https://launchpad.net/ubuntu/+source/cinder/1:2014.1.3-0ubuntu1.1