Security Advisory Important: openstack-nova security and bug fix update

Advisory: RHSA-2013:0208-1
Type: Security Advisory
Severity: Important
Issued on: 2013-01-30
Last updated on: 2013-01-30
Affected Products: Red Hat OpenStack Folsom
CVEs ( CVE-2012-5625


Updated openstack-nova packages that fix two security issues and multiple
bugs are now available for Red Hat OpenStack Folsom.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

The openstack-nova packages provide OpenStack Compute (code name Nova), a
cloud computing fabric controller.

The openstack-nova packages have been upgraded to upstream version
2012.2.2, which provides a number of bug fixes over the previous version.

This update also fixes the following security issues:

It was found that the boot-from-volume feature in nova-volume did not
correctly validate if the user attempting to boot an image was permitted
to do so. An authenticated user could use this flaw to bypass
intended restrictions, allowing them to boot images they would otherwise
not have access to, exposing data stored in other users' images. This
issue did not affect configurations using the Cinder block storage
mechanism, which is the default in Red Hat OpenStack. (CVE-2013-0208)

When OpenStack Nova was configured to provide guest instances with libvirt
and said guests used LVM-backed ephemeral storage
("libvirt_images_type=lvm" in "/etc/nova/nova.conf"), the contents of the
physical volume were not wiped before the volume was returned to the system
for use by a different guest instance. This could lead to a new instance
being able to access files and data from a previous instance. This issue
did not affect configurations using the Cinder block storage mechanism,
which is the default in Red Hat OpenStack. (CVE-2012-5625)

Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Phil Day as the original reporter of
CVE-2013-0208, and Eric Windisch as the original reporter of CVE-2012-5625.

All users of openstack-nova are advised to upgrade to these updated
packages, which correct these issues. After installing the updated
packages, the Nova running services will be restarted automatically.


Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

Updated packages

Red Hat OpenStack Folsom

File outdated by:  RHBA-2013:0798
    MD5: b708eb673895de2b4ac50e9c18355f57
SHA-256: 1530a44154c49b0ccf9c6c5016bc7ce31d0883ff795a1866723fd1001dcdba50
File outdated by:  RHBA-2013:0798
    MD5: a5434a42d8aa8d6870f17e618ca9d1fb
SHA-256: 4a81dd4d5b92a13fd2bd4b84ee5a2e4202e47d00e7fe3c1505d862bd87f20d81
File outdated by:  RHBA-2013:0798
    MD5: 9d84a9547712b01e1b10a733c932db4c
SHA-256: 0bd981a2777cd6b2aec37f8f0e4357ed9020a2ce2d42b24b6208abf83aa1083e
File outdated by:  RHBA-2013:0798
    MD5: cda8d191a6f4f70cef3575a8375fc0e8
SHA-256: 2a0511f5a62be750c01e3ecaf84a3d6ed303f9e2b7977dc2bf56ed5a155a4fb9
File outdated by:  RHBA-2013:0798
    MD5: 03b8c11c988e6a7ff7df0fd6f7c49768
SHA-256: 780431d67d125ac7ed18aebb5246d8509591f0e776d8f33b85aab31b983b1018
File outdated by:  RHBA-2013:0798
    MD5: ad350b867c88748d451614241130295d
SHA-256: 2fe1439eb354434d67bd40176d69ecb154220ee6947ea38d4142be78489f968e
File outdated by:  RHBA-2013:0798
    MD5: 6e0e028a2080607469a6e530a0a56a6e
SHA-256: f5b5b8082ac0efc2df93db1bd8e0aea5416dff13bfc297b51ff9148351ff2a15
File outdated by:  RHBA-2013:0798
    MD5: 3f764c6fb57233523edd4af6b9926e25
SHA-256: bc490daf0ef4c8f4b791248d7fe6ce096125dd86b51f09b19d85f2dc39428640
File outdated by:  RHBA-2013:0798
    MD5: 8ccabb1b6cf298e13e2793bf0ff92395
SHA-256: db7e04418b402c4f6b7332cbb91d407b5007c36f606bbc4fb0f5c67dd9a538c5
File outdated by:  RHBA-2013:0798
    MD5: f553b01f4187a0c25ce624329a417ad6
SHA-256: 31bfae358d42f7dd3039d3d66f0a94d0c3999c5d56f025b236b10ec91095926b
File outdated by:  RHBA-2013:0798
    MD5: dbd339278e34033f5bb7b3f1a118131f
SHA-256: b1d7e8e515c3d4ae06fce6a9700fb337552651cb395375e2839788aea8db2800
File outdated by:  RHBA-2013:0798
    MD5: 427247979863563d76a4397ad5b48711
SHA-256: e7d89885c9658e3dde2e988b420c016bfd46aa8b43240ea35f36c0a167dc9509
File outdated by:  RHBA-2013:0798
    MD5: 35081c96221c22875acfbbf96818a468
SHA-256: c9932fc7c6f4199cb818f3eba64f5ddba8276519f17b83f91e3f9d1819a92f57
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

856263 - Fix libvirt auth callback to allow for use of libvirt client auth config files
881810 - When Installing openstack-nova, The package python-keystone should be installed by dependency.
884293 - CVE-2012-5625 OpenStack Nova: Information leak in libvirt LVM-backed instances
887303 - Change default networking type to virtio
902629 - CVE-2013-0208 openstack-nova: Boot from volume allows access to random volumes


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at