CVE-2013-7130 : The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Gri

The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root disk contents of other users via ephemeral storage.

Published 2014-02-06 17:00:07

Updated 2017-08-29 01:34:04

Source MITRE

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2013-7130

Probability of exploitation activity in the next 30 days: 0.76%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 79 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2013-7130

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.1	HIGH	AV:N/AC:M/Au:N/C:C/I:N/A:N	8.6	6.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: None Availability Impact: None

CWE ids for CVE-2013-7130

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-7130

https://exchange.xforce.ibmcloud.com/vulnerabilities/90652

OpenStack Compute libvirt driver information disclosure CVE-2013-7130 Vulnerability Report
http://www.securityfocus.com/bid/65106

OpenStack Compute (Nova) CVE-2013-7130 Information Disclosure Vulnerability
https://review.openstack.org/#/c/68659/

Change I78aa2f42: libvirt: Fix root disk leak in live mig | review.opendev Code Review
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127735.html

[SECURITY] Fedora 19 Update: openstack-nova-2013.1.4-6.fc19
https://review.openstack.org/#/c/68658/

Change I78aa2f42: libvirt: Fix root disk leak in live mig | review.opendev Code Review
Patch
http://rhn.redhat.com/errata/RHSA-2014-0231.html

RHSA-2014:0231 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://bugs.launchpad.net/nova/+bug/1251590

Bug #1251590 “[OSSA 2014-003] Live migration can leak root disk ...” : Bugs : OpenStack Compute (nova)
http://www.ubuntu.com/usn/USN-2247-1

USN-2247-1: OpenStack Nova vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://review.openstack.org/#/c/68660/

Change I78aa2f42: libvirt: Fix root disk leak in live mig | review.opendev Code Review
Patch
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127732.html

[SECURITY] Fedora 20 Update: openstack-nova-2013.2.1-4.fc20
http://www.openwall.com/lists/oss-security/2014/01/23/5

oss-security - [OSSA 2014-003] Live migration can leak root disk into ephemeral storage (CVE-2013-7130)

Products affected by CVE-2013-7130

Openstack » Compute » Version: 2012.2
cpe:2.3:a:openstack:compute:2012.2:*:*:*:*:*:*:*
Matching versions
Openstack » Compute » Version: 2013.1.2
cpe:2.3:a:openstack:compute:2013.1.2:*:*:*:*:*:*:*
Matching versions
Openstack » Compute » Version: 2013.1.3
cpe:2.3:a:openstack:compute:2013.1.3:*:*:*:*:*:*:*
Matching versions
Openstack » Compute » Version: 2013.1
cpe:2.3:a:openstack:compute:2013.1:*:*:*:*:*:*:*
Matching versions
Openstack » Compute » Version: 2013.1.1
cpe:2.3:a:openstack:compute:2013.1.1:*:*:*:*:*:*:*
Matching versions
Openstack » Grizzly » Version: N/A
cpe:2.3:a:openstack:grizzly:-:*:*:*:*:*:*:*
Matching versions
Openstack » Havana » Version: N/A
cpe:2.3:a:openstack:havana:-:*:*:*:*:*:*:*
Matching versions
Openstack » Icehouse » Version: N/A
cpe:2.3:a:openstack:icehouse:-:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2013-7130

Exploit prediction scoring system (EPSS) score for CVE-2013-7130

CVSS scores for CVE-2013-7130

CWE ids for CVE-2013-7130

References for CVE-2013-7130

Products affected by CVE-2013-7130