YAOOK Security Advisory for CVE-2024-40767

• Date: 2024-07-23
• Upstream advisory: https://security.openstack.org/ossa/OSSA-2024-002.html
• Upstream bug report: https://bugs.launchpad.net/bugs/2071734

What is CVE-2024-40767 and how does it affect YAOOK?

Is my cluster vulnerable?

The following images are vulnerable:

• nova-compute images before 4.1.121

If any of these images are used in your cluster, the cluster is vulnerable.

Mitigating factors

As all OpenStack services deployed via YAOOK run inside containers, the exposure possibilities are more limited than in non-containerised OpenStack deployments.

However, the vulnerability is still critical. If an attacker manages to exploit nova-compute, it is likely possible to exfiltrate disks and potentially also volumes from other workload running on the same or potentially also other hypervisors.

Upgrading

A new stable release will be published. You can upgrade to that release simply by updating your operators.

In case you have a large fleet of nova compute nodes, you may want to follow the following procedure in order to speed up the process:

- NOTE: This procedure bypasses several safety mechansims within YAOOK. Use at your own risk! It is similar to the impact of using yaookctl force-upgrade on all compute nodes.

1. Update all operators
2. For each NovaComputeNode nova-compute statefulset, update the nova-compute image version to 4.1.121.
3. Wait for the StatefulSets to settle.