CVE-2012-5625 : OpenStack Compute (Nova) Folsom before 2012.2.2 and Grizzly, when using libvirt and LVM backed instances, does not prope

OpenStack Compute (Nova) Folsom before 2012.2.2 and Grizzly, when using libvirt and LVM backed instances, does not properly clear physical volume (PV) content when reallocating for instances, which allows attackers to obtain sensitive information by reading the memory of the previous logical volume (LV).

Published 2012-12-26 22:55:04

Updated 2013-02-15 05:04:26

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2012-5625

Probability of exploitation activity in the next 30 days: 0.48%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 72 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2012-5625

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2012-5625

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-5625

http://www.openwall.com/lists/oss-security/2012/12/11/5

oss-security - [OSSA 2012-020] Information leak in libvirt LVM-backed instances (CVE-2012-5625)
https://launchpad.net/nova/folsom/2012.2.2

2012.2.2 : Series folsom : OpenStack Compute (nova)
https://github.com/openstack/nova/commit/a99a802e008eed18e39fc1d98170edc495cbd354

Don't leak info from libvirt LVM backed instances · openstack/nova@a99a802 · GitHub
Patch
https://github.com/openstack/nova/commit/9d2ea970422591f8cdc394001be9a2deca499a5f

Don't leak info from libvirt LVM backed instances · openstack/nova@9d2ea97 · GitHub
Patch
http://www.ubuntu.com/usn/USN-1663-1

USN-1663-1: Nova vulnerability | Ubuntu security notices
Patch
http://rhn.redhat.com/errata/RHSA-2013-0208.html

RHSA-2013:0208 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=884293

884293 – (CVE-2012-5625) CVE-2012-5625 OpenStack Nova: Information leak in libvirt LVM-backed instances
http://www.securityfocus.com/bid/56904

OpenStack Nova CVE-2012-5625 Local Information Disclosure Vulnerability
https://bugs.launchpad.net/nova/+bug/1070539

Bug #1070539 “[OSSA 2012-020] create_lvm_image allocates dirty b...” : Bugs : OpenStack Compute (nova)

Products affected by CVE-2012-5625

Openstack » Folsom » Version: 2012.2
cpe:2.3:a:openstack:folsom:2012.2:*:*:*:*:*:*:*
Matching versions
Openstack » Grizzly » Version: N/A
cpe:2.3:a:openstack:grizzly:-:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2012-5625

Exploit prediction scoring system (EPSS) score for CVE-2012-5625

CVSS scores for CVE-2012-5625

CWE ids for CVE-2012-5625

References for CVE-2012-5625

Products affected by CVE-2012-5625