On 08/07/2012 10:38 PM, Eric Windisch wrote: > >> Pádraig Brady from Red Hat discovered that the fix implemented for >> CVE-2012-3361 (OSSA-2012-008) was not covering all attack scenarios. By >> crafting a malicious image with root-readable-only symlinks and >> requesting a server based on it, an authenticated user could still >> corrupt arbitrary files (all setups affected) or inject arbitrary files >> (Essex and later setups with OpenStack API enabled and a libvirt-based >> hypervisor) on the host filesystem, potentially resulting in full >> compromise of that compute node. >> > > Unfortunately, this won't be the end of vulnerabilities coming from this > "feature". > > Even if all the edge-cases around safely writing files are handled (and I'm > not sure they are), simply mounting a filesystem is a very dangerous > operation for the host. > > The idea had been suggested early-on to supporting ISO9660 filesystems > created with mkisofs, which can be created in userspace, are read-only, and > fairly safe to produce, even as root on compute host. > > That idea was apparently shot-down because, "the people who > documented/requested the blueprint requested a read-write filesystem that you > cannot obtain with ISO9660". Now, everyone has to live with a serious > technical blunder. > > Per the summit discussion Etherpad: > "injecting files into a guest is a very popular desire." > > Popular desires not necessary smart desires. We should remove all file > injection post-haste.
You can configure injection out depending on your requirements. Also notice that libguestfs is supported as an injection mechanism which mounts images in a separate VM, with one of the big advantages of that being better security. cheers, Pádraig. _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
