Vulnerability Name:

CVE-2013-7130 (CCN-90652)

Assigned:2013-12-17
Published:2014-01-24
Updated:2017-08-29
Summary:The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root disk contents of other users via ephemeral storage.
CVSS v3 Severity:5.7 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:7.1 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:N/A:N)
5.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2013-7130

Source: FEDORA
Type: UNKNOWN
FEDORA-2014-1463

Source: FEDORA
Type: UNKNOWN
FEDORA-2014-1516

Source: OSVDB
Type: UNKNOWN
102416

Source: REDHAT
Type: UNKNOWN
RHSA-2014:0231

Source: CCN
Type: oss-sec Mailing List, Fri, 24 Jan 2014 02:38:24 +1000
[OSSA 2014-003] Live migration can leak root disk into ephemeral storage (CVE-2013-7130)

Source: SECUNIA
Type: Vendor Advisory
56450

Source: CCN
Type: OpenStack Compute Web Site
OpenStack Compute

Source: MLIST
Type: UNKNOWN
[oss-security] 20140124 [OSSA 2014-003] Live migration can leak root disk into ephemeral storage (CVE-2013-7130)

Source: BID
Type: UNKNOWN
65106

Source: CCN
Type: BID-65106
OpenStack Compute (Nova) CVE-2013-7130 Information Disclosure Vulnerability

Source: UBUNTU
Type: UNKNOWN
USN-2247-1

Source: CCN
Type: Launchpad Bug #1251590
Live migration can leak root disk into ephemeral storage (CVE-2013-7130)

Source: MISC
Type: UNKNOWN
https://bugs.launchpad.net/nova/+bug/1251590

Source: XF
Type: UNKNOWN
openstack-cve20137130-info-disc(90652)

Source: XF
Type: UNKNOWN
openstack-cve20137130-info-disc(90652)

Source: CONFIRM
Type: Patch
https://review.openstack.org/#/c/68658/

Source: CONFIRM
Type: UNKNOWN
https://review.openstack.org/#/c/68659/

Source: CONFIRM
Type: Patch
https://review.openstack.org/#/c/68660/

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-7130

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openstack:compute:2012.2:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:compute:2013.1:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:compute:2013.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:compute:2013.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:compute:2013.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:grizzly:-:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:havana:-:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:icehouse:-:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:24438
    P
    USN-2247-1 -- nova vulnerabilities
    2014-08-11
    oval:com.ubuntu.precise:def:20137130000
    V
    CVE-2013-7130 on Ubuntu 12.04 LTS (precise) - medium.
    2014-02-06
    oval:com.ubuntu.trusty:def:20137130000
    V
    CVE-2013-7130 on Ubuntu 14.04 LTS (trusty) - medium.
    2014-02-06
    BACK
    openstack compute 2012.2
    openstack compute 2013.1
    openstack compute 2013.1.1
    openstack compute 2013.1.2
    openstack compute 2013.1.3
    openstack grizzly -
    openstack havana -
    openstack icehouse -