CVE-2020-17376: XEE
First published: Wed Aug 26 2020(Updated: )
An issue was discovered in Guest.migrate in `virt/libvirt/guest.py` in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that share the same paths as host devices previously referenced by the virtual machine on the source host. This can include block devices that map to different Cinder volumes at the destination than at the source. Only deployments allowing host-based connections (for instance, root and ephemeral devices) are affected.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenStack Nova | <19.3.1 | |
| OpenStack Nova | >=20.0.0<20.3.1 | |
| OpenStack Nova | =21.0.0 | |
| pip/nova | =21.0.0 | |
| pip/nova | >=20.0.0<20.3.1 | 20.3.1 |
| pip/nova | <19.3.1 | 19.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2020/08/25/4
- https://launchpad.net/bugs/1890501
- https://security.openstack.org/ossa/OSSA-2020-006.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-17376
- https://github.com/openstack/nova/commit/1bb8ee95d4c3ddc3f607ac57526b75af1b7fbcff
- https://github.com/openstack/nova/commit/2faf17995dd9daa6f0b91e44be43264e447c678d
- https://github.com/openstack/nova/commit/a721ca5f510ce3c8ef24f22dac9e475b3d7651db
- https://github.com/openstack/nova/commit/b9ea91d17703f5b324a50727b6503ace0f4e95eb
- https://github.com/openstack/nova/commit/c438fd9a0eb1903306a53ab44e3ae80660d8a429
- https://github.com/advisories/GHSA-c7w7-9c85-4qxv (Advisory)
Frequently Asked Questions
What is CVE-2020-17376?
CVE-2020-17376 is a vulnerability in OpenStack Nova that allows a user to gain access to destination host devices by performing a soft reboot of an instance that has previously undergone live migration.
What is the severity of CVE-2020-17376?
The severity of CVE-2020-17376 is high, with a CVSS score of 8.3.
How does CVE-2020-17376 affect OpenStack Nova?
CVE-2020-17376 affects OpenStack Nova versions before 19.3.1, 20.x before 20.3.1, and 21.0.0.
How can I fix CVE-2020-17376?
To fix CVE-2020-17376, update OpenStack Nova to version 19.3.1, 20.3.1, or later.
Where can I find more information about CVE-2020-17376?
You can find more information about CVE-2020-17376 at the following references: - http://www.openwall.com/lists/oss-security/2020/08/25/4 - https://launchpad.net/bugs/1890501 - https://security.openstack.org/ossa/OSSA-2020-006.html
- collector/nvd-index
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-c7w7-9c85-4qxv
- alias/CVE-2020-17376
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- agent/author
- agent/references
- agent/weakness
- agent/tags
- agent/description
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- agent/event
- collector/github-advisory
- vendor/openstack
- canonical/openstack nova
- version/openstack nova/20.0.0
- version/openstack nova/21.0.0
- package-manager/pip