{"id":5005,"date":"2025-04-24T09:44:00","date_gmt":"2025-04-24T07:44:00","guid":{"rendered":"https:\/\/yaook.cloud\/?page_id=5005"},"modified":"2025-04-24T11:30:48","modified_gmt":"2025-04-24T09:30:48","slug":"security-advisories-cve-2022-47951","status":"publish","type":"page","link":"https:\/\/yaook.cloud\/en\/security-advisories-cve-2022-47951\/","title":{"rendered":"security-advisories\/cve-2022-47951"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"5005\" class=\"elementor elementor-5005\" data-elementor-post-type=\"page\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ea1b144 e-flex e-con-boxed e-con e-parent\" data-id=\"ea1b144\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b9dbf39 elementor-widget elementor-widget-text-editor\" data-id=\"b9dbf39\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h1 id=\"yaook-security-advisory-for-cve-2022-47951\">YAOOK Security Advisory for CVE-2022-47951<\/h1><ul><li>Date: 2022-01-25<\/li><li>Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2023-002.html<\/li><li>Upstream bug report: https:\/\/bugs.launchpad.net\/nova\/+bug\/1996188<\/li><\/ul><h2 id=\"important-update-2022-01-25-1700-utc\">Important update (2022-01-25 17:00 UTC)<\/h2><p><span class=\"citation\" data-cites=\"jklippel\">[@jklippel]<\/span>(https:\/\/gitlab.com\/jklippel) found that the patch was not correctly applied to glance in our images based on versions later than Victoria. A fix has been released in 0.20230125.3 (glance image version 1.1.18).<\/p><h2 id=\"what-is-cve-2022-47951-and-how-does-it-affect-yaook\">What is CVE-2022-47951 and how does it affect YAOOK?<\/h2><p>CVE-2022-47951 identifies an issue in several OpenStack components which allows authenticated OpenStack users to exfiltrate arbitrary files from the cloud provider\u2019s infrastructure. For details on this bug, please see the upstream issue <a href=\"https:\/\/bugs.launchpad.net\/nova\/+bug\/1996188\">1<\/a>.<\/p><p>ALL OpenStack deployments deployed using YAOOK running vulnerable image versions (see below) are vulnerable to CVE-2022-47951!<\/p><p>The YAOOK project has started publishing patched images at the time the embargo ended (2023-01-24 15:00 UTC). You should update your operators to the release 0.20230125.3, which contains these patched images, as soon as possible.<\/p><h2 id=\"is-my-cluster-vulnerable\">Is my cluster vulnerable?<\/h2><p>The following images are vulnerable:<\/p><ul><li>cinder images before version 2.0.34<\/li><li>glance images before 1.1.28<\/li><li>nova-compute images before 4.1.44<\/li><\/ul><p>If any of these images are used in your cluster, the cluster is vulnerable.<\/p><p>\u2013 NOTE: glance in versions older than train is NOT supported and we did not patch these images!<\/p><h2 id=\"mitigating-factors\">Mitigating factors<\/h2><p>As all OpenStack services deployed via YAOOK run inside containers, the exposure possibilities are more limited than in non-containerized OpenStack deployments.<\/p><p>However, the vulnerability is still critical. If an attacker manages to exploit nova-compute, it is likely possible to exfiltrate disks and potentially also volumes from other workload running on the same or potentially also other hypervisors.<\/p><h2 id=\"upgrading\">Upgrading<\/h2><p>A new stable release 0.20230125.3 (which is the same as 0.20230119.0 with only the patches applied) has been published today. You can upgrade to that release simply by updating your operators.<\/p><p>In case you have a large fleet of nova compute nodes, you may want to follow the following procedure in order to speed up the process:<\/p><p>\u2013 NOTE: This procedure bypasses several safety mechansims within YAOOK. Use at your own risk! It is similar to the impact of using yaookctl force-upgrade on all compute nodes.<\/p><ol type=\"1\"><li>Update all operators except the nova-compute-operator to the new release.<\/li><li>Reduce the replica count of the nova-compute-operator deployment to 0.<\/li><li>For each NovaComputeNode nova-compute statefulset, update the nova-compute image version to 4.1.44.<\/li><li>Wait for the StatefulSets to settle.<\/li><li>Update the nova-compute operator, while making sure that it is scaled back up to 1 replica.<\/li><\/ol><p>The <a href=\"https:\/\/gitlab.com\/yaook\/ops-scripts\/-\/blob\/devel\/patch_nova_compute_nodes.py\">patch_nova_compute_nodes.py<\/a> script can be used to support this process.<\/p><h2 id=\"detecting-exploits\">Detecting exploits<\/h2><p>If you are using Ceph-based storage, you may use the <a href=\"https:\/\/gitlab.com\/yaook\/ops-scripts\/-\/blob\/devel\/audit-vmdk.sh\">audit-vmdk.sh<\/a> script to find block objects (images or volumes) which start with a VMDK header.<\/p><p>\u2013 NOTE: That script still requires manual inspection of the images it finds; it does not check whether the VMDK is actually attempting an exploit.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>YAOOK Security Advisory for CVE-2022-47951 Date: 2022-01-25 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2023-002.html Upstream bug report: https:\/\/bugs.launchpad.net\/nova\/+bug\/1996188 Important update (2022-01-25 17:00 UTC) [@jklippel](https:\/\/gitlab.com\/jklippel) found that the patch was not correctly applied to glance in our images based on versions later than Victoria. A fix has been released in 0.20230125.3 (glance image version 1.1.18). What is CVE-2022-47951 and how [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-5005","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>security-advisories\/cve-2022-47951 &#187; Yaook<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/yaook.cloud\/en\/security-advisories-cve-2022-47951\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"security-advisories\/cve-2022-47951 &#187; Yaook\" \/>\n<meta property=\"og:description\" content=\"YAOOK Security Advisory for CVE-2022-47951 Date: 2022-01-25 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2023-002.html Upstream bug report: https:\/\/bugs.launchpad.net\/nova\/+bug\/1996188 Important update (2022-01-25 17:00 UTC) [@jklippel](https:\/\/gitlab.com\/jklippel) found that the patch was not correctly applied to glance in our images based on versions later than Victoria. A fix has been released in 0.20230125.3 (glance image version 1.1.18). What is CVE-2022-47951 and how [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/yaook.cloud\/en\/security-advisories-cve-2022-47951\/\" \/>\n<meta property=\"og:site_name\" content=\"Yaook\" \/>\n<meta property=\"article:modified_time\" content=\"2025-04-24T09:30:48+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2022-47951\\\/\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2022-47951\\\/\",\"name\":\"security-advisories\\\/cve-2022-47951 &#187; Yaook\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#website\"},\"datePublished\":\"2025-04-24T07:44:00+00:00\",\"dateModified\":\"2025-04-24T09:30:48+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2022-47951\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2022-47951\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2022-47951\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/yaook.cloud\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"security-advisories\\\/cve-2022-47951\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#website\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/\",\"name\":\"Yaook\",\"description\":\"The Lifecycle Management Tool for OpenStack\",\"publisher\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/yaook.cloud\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#organization\",\"name\":\"ALASCA e.V.\",\"alternateName\":\"Alasca - Verband f\u00fcr betriebsf\u00e4hige, offene Cloud-Infrastrukturen e.V.\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/alasca.cloud\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/favicon.png\",\"contentUrl\":\"https:\\\/\\\/alasca.cloud\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/favicon.png\",\"width\":512,\"height\":512,\"caption\":\"ALASCA e.V.\"},\"image\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"security-advisories\/cve-2022-47951 \u00bb Yaook","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/yaook.cloud\/en\/security-advisories-cve-2022-47951\/","og_locale":"en_GB","og_type":"article","og_title":"security-advisories\/cve-2022-47951 &#187; Yaook","og_description":"YAOOK Security Advisory for CVE-2022-47951 Date: 2022-01-25 Upstream advisory: https:\/\/security.openstack.org\/ossa\/OSSA-2023-002.html Upstream bug report: https:\/\/bugs.launchpad.net\/nova\/+bug\/1996188 Important update (2022-01-25 17:00 UTC) [@jklippel](https:\/\/gitlab.com\/jklippel) found that the patch was not correctly applied to glance in our images based on versions later than Victoria. A fix has been released in 0.20230125.3 (glance image version 1.1.18). What is CVE-2022-47951 and how [&hellip;]","og_url":"https:\/\/yaook.cloud\/en\/security-advisories-cve-2022-47951\/","og_site_name":"Yaook","article_modified_time":"2025-04-24T09:30:48+00:00","twitter_card":"summary_large_image","twitter_misc":{"Estimated reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/yaook.cloud\/security-advisories-cve-2022-47951\/","url":"https:\/\/yaook.cloud\/security-advisories-cve-2022-47951\/","name":"security-advisories\/cve-2022-47951 \u00bb Yaook","isPartOf":{"@id":"https:\/\/yaook.cloud\/#website"},"datePublished":"2025-04-24T07:44:00+00:00","dateModified":"2025-04-24T09:30:48+00:00","breadcrumb":{"@id":"https:\/\/yaook.cloud\/security-advisories-cve-2022-47951\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/yaook.cloud\/security-advisories-cve-2022-47951\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/yaook.cloud\/security-advisories-cve-2022-47951\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/yaook.cloud\/"},{"@type":"ListItem","position":2,"name":"security-advisories\/cve-2022-47951"}]},{"@type":"WebSite","@id":"https:\/\/yaook.cloud\/#website","url":"https:\/\/yaook.cloud\/","name":"Yaook","description":"The Lifecycle Management Tool for OpenStack","publisher":{"@id":"https:\/\/yaook.cloud\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/yaook.cloud\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/yaook.cloud\/#organization","name":"ALASCA e.V.","alternateName":"Alasca - Verband f\u00fcr betriebsf\u00e4hige, offene Cloud-Infrastrukturen e.V.","url":"https:\/\/yaook.cloud\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/yaook.cloud\/#\/schema\/logo\/image\/","url":"https:\/\/alasca.cloud\/wp-content\/uploads\/2022\/08\/favicon.png","contentUrl":"https:\/\/alasca.cloud\/wp-content\/uploads\/2022\/08\/favicon.png","width":512,"height":512,"caption":"ALASCA e.V."},"image":{"@id":"https:\/\/yaook.cloud\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5005","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/comments?post=5005"}],"version-history":[{"count":8,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5005\/revisions"}],"predecessor-version":[{"id":5045,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5005\/revisions\/5045"}],"wp:attachment":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/media?parent=5005"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}