YAOOK Security Advisory for CVE-2022-47951

• Date: 2022-01-25
• Upstream advisory: https://security.openstack.org/ossa/OSSA-2023-002.html
• Upstream bug report: https://bugs.launchpad.net/nova/+bug/1996188

Important update (2022-01-25 17:00 UTC)

[@jklippel](https://gitlab.com/jklippel) found that the patch was not correctly applied to glance in our images based on versions later than Victoria. A fix has been released in 0.20230125.3 (glance image version 1.1.18).

What is CVE-2022-47951 and how does it affect YAOOK?

CVE-2022-47951 identifies an issue in several OpenStack components which allows authenticated OpenStack users to exfiltrate arbitrary files from the cloud provider's infrastructure. For details on this bug, please see the upstream issue 1.

ALL OpenStack deployments deployed using YAOOK running vulnerable image versions (see below) are vulnerable to CVE-2022-47951!

The YAOOK project has started publishing patched images at the time the embargo ended (2023-01-24 15:00 UTC). You should update your operators to the release 0.20230125.3, which contains these patched images, as soon as possible.

Is my cluster vulnerable?

The following images are vulnerable:

• cinder images before version 2.0.34
• glance images before 1.1.28
• nova-compute images before 4.1.44

If any of these images are used in your cluster, the cluster is vulnerable.

- NOTE: glance in versions older than train is NOT supported and we did not patch these images!

Mitigating factors

As all OpenStack services deployed via YAOOK run inside containers, the exposure possibilities are more limited than in non-containerised OpenStack deployments.

However, the vulnerability is still critical. If an attacker manages to exploit nova-compute, it is likely possible to exfiltrate disks and potentially also volumes from other workload running on the same or potentially also other hypervisors.

Upgrading

A new stable release 0.20230125.3 (which is the same as 0.20230119.0 with only the patches applied) has been published today. You can upgrade to that release simply by updating your operators.

In case you have a large fleet of nova compute nodes, you may want to follow the following procedure in order to speed up the process:

- NOTE: This procedure bypasses several safety mechansims within YAOOK. Use at your own risk! It is similar to the impact of using yaookctl force-upgrade on all compute nodes.

1. Update all operators except the nova-compute-operator to the new release.
2. Reduce the replica count of the nova-compute-operator deployment to 0.
3. For each NovaComputeNode nova-compute statefulset, update the nova-compute image version to 4.1.44.
4. Wait for the StatefulSets to settle.
5. Update the nova-compute operator, while making sure that it is scaled back up to 1 replica.

The patch_nova_compute_nodes.py script can be used to support this process.

Detecting exploits

If you are using Ceph-based storage, you may use the audit-vmdk.sh script to find block objects (images or volumes) which start with a VMDK header.

- NOTE: That script still requires manual inspection of the images it finds; it does not check whether the VMDK is actually attempting an exploit.