Main Vulnerability Database SB2023072422

SB2023072422 - Ubuntu update for cinder

Published: July 24, 2023

Security Bulletin ID SB2023072422

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-2088)

The vulnerability allows an attacker to gain unauthorized access to a volume.

The vulnerability exists due to the way OpenStack handles situations with volume deletions. A regular user can create an instance with a volume, and then delete the volume attachment directly in Cinder, which neglects to notify Nova.

The compute node SCSI plumbing (over iSCSI/FC) will continue trying to connect to the original host/port/LUN, not knowing the attachment has been deleted. If a subsequent volume attachment re-uses the host/port/LUN for a different instance and volume, the original instance will gain access to it once the SCSI plumbing reconnects.

Only deployments with iSCSI or FC volumes are affected.

Remediation

Install update from vendor's website.

References

https://ubuntu.com/security/notices/USN-6241-1