Vulnerability Details : CVE-2013-7130
The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root disk contents of other users via ephemeral storage.
Vulnerability category: Information leak
Exploit prediction scoring system (EPSS) score for CVE-2013-7130
Probability of exploitation activity in the next 30 days: 0.76%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 79 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2013-7130
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.1
|
HIGH | AV:N/AC:M/Au:N/C:C/I:N/A:N |
8.6
|
6.9
|
NIST |
CWE ids for CVE-2013-7130
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-7130
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/90652
OpenStack Compute libvirt driver information disclosure CVE-2013-7130 Vulnerability Report
-
http://www.securityfocus.com/bid/65106
OpenStack Compute (Nova) CVE-2013-7130 Information Disclosure Vulnerability
-
https://review.openstack.org/#/c/68659/
Change I78aa2f42: libvirt: Fix root disk leak in live mig | review.opendev Code Review
-
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127735.html
[SECURITY] Fedora 19 Update: openstack-nova-2013.1.4-6.fc19
-
https://review.openstack.org/#/c/68658/
Change I78aa2f42: libvirt: Fix root disk leak in live mig | review.opendev Code ReviewPatch
-
http://rhn.redhat.com/errata/RHSA-2014-0231.html
RHSA-2014:0231 - Security Advisory - Red Hat Customer Portal
-
https://bugs.launchpad.net/nova/+bug/1251590
Bug #1251590 “[OSSA 2014-003] Live migration can leak root disk ...” : Bugs : OpenStack Compute (nova)
-
http://www.ubuntu.com/usn/USN-2247-1
USN-2247-1: OpenStack Nova vulnerabilities | Ubuntu security notices
-
https://review.openstack.org/#/c/68660/
Change I78aa2f42: libvirt: Fix root disk leak in live mig | review.opendev Code ReviewPatch
-
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127732.html
[SECURITY] Fedora 20 Update: openstack-nova-2013.2.1-4.fc20
-
http://www.openwall.com/lists/oss-security/2014/01/23/5
oss-security - [OSSA 2014-003] Live migration can leak root disk into ephemeral storage (CVE-2013-7130)
Products affected by CVE-2013-7130
- cpe:2.3:a:openstack:compute:2012.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:grizzly:-:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:havana:-:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:icehouse:-:*:*:*:*:*:*:*