CVE-2024-32498

NameCVE-2024-32498
DescriptionAn issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3871-1, DLA-3872-1, DLA-3873-1, DSA-5754-1, DSA-5755-1, DSA-5756-1
Debian Bugs1074761, 1074762, 1074763

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cinder (PTS)jessie, jessie (lts)2014.1.3-11+deb8u1vulnerable
stretch2:9.0.0-4vulnerable
buster (security), buster, buster (lts)2:13.0.7-1+deb10u2vulnerable
bullseye2:17.0.1-1+deb11u1vulnerable
bullseye (security)2:17.4.0-1~deb11u2fixed
bookworm (security), bookworm2:21.3.1-1~deb12u1fixed
sid2:25.0.0-1fixed
glance (PTS)jessie2014.1.3-12+deb8u1vulnerable
stretch2:13.0.0-4vulnerable
buster (security), buster, buster (lts)2:17.0.0-5+deb10u1vulnerable
bullseye2:21.0.0-2+deb11u1vulnerable
bullseye (security)2:21.1.0-1+deb11u2fixed
bookworm (security), bookworm2:25.1.0-2+deb12u1fixed
sid, trixie2:29.0.0-1fixed
nova (PTS)jessie2014.1.3-11vulnerable
stretch (security), stretch (lts), stretch2:14.0.0-4+deb9u1vulnerable
buster (security), buster, buster (lts)2:18.1.0-6+deb10u2vulnerable
bullseye2:22.0.1-2+deb11u1vulnerable
bullseye (security)2:22.4.0-1~deb11u5fixed
bookworm (security), bookworm2:26.2.2-1~deb12u3fixed
sid, trixie2:30.0.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cindersourcejessie(unfixed)end-of-life
cindersourcestretch(unfixed)end-of-life
cindersourcebuster(unfixed)end-of-life
cindersourcebullseye2:17.4.0-1~deb11u2DLA-3871-1
cindersourcebookworm2:21.3.1-1~deb12u1DSA-5754-1
cindersource(unstable)2:24.0.0-51074763
glancesourcejessie(unfixed)end-of-life
glancesourcestretch(unfixed)end-of-life
glancesourcebuster(unfixed)end-of-life
glancesourcebullseye2:21.1.0-1+deb11u2DLA-3872-1
glancesourcebookworm2:25.1.0-2+deb12u1DSA-5755-1
glancesource(unstable)2:28.0.1-3+deb12u11074761
novasourcejessie(unfixed)end-of-life
novasourcestretch(unfixed)end-of-life
novasourcebuster(unfixed)end-of-life
novasourcebullseye2:22.4.0-1~deb11u5DLA-3873-1
novasourcebookworm2:26.2.2-1~deb12u3DSA-5756-1
novasource(unstable)2:29.0.2-41074762

Notes

https://www.openwall.com/lists/oss-security/2024/07/02/2
https://bugs.launchpad.net/nova/+bug/2059809
When fixing CVE-2024-33498 make sure to make the fix for src:nova complete to
not introduce CVE-2024-40767.
Search for package or bug name: Reporting problems