OpenStack Compute (nova) launches and schedules large networks of virtual
machines, creating a redundant and scalable cloud computing platform.
Compute provides the software, control panels, and APIs required to
orchestrate a cloud, including running virtual machine instances and
controlling access through users and projects.
A flaw was discovered in the OpenStack Compute (nova) snapshot feature when
using the libvirt driver. A compute user could overwrite an attached
instance disk with a malicious header specifying a backing file, and then
request a snapshot, causing a file from the compute host to be leaked. This
flaw only affects LVM or Ceph setups, or setups using filesystem storage
with “use_cow_images = False”. (CVE-2015-7548)
A vulnerability was discovered in the way OpenStack Compute (nova)
networking handled security group updates; changes were not applied to
already running VM instances. A remote attacker could use this flaw to
access running VM instances. (CVE-2015-7713)
The CVE-2015-7548 issue was discovered by Matthew Booth of Red Hat
OpenStack Engineering.
All openstack-nova users are advised to upgrade to these updated packages,
which correct these issues.