The following images are vulnerable:
If any of these images are used in your cluster, the cluster is vulnerable.
As all OpenStack services deployed via YAOOK run inside containers, the exposure possibilities are more limited than in non-containerized OpenStack deployments.
However, the vulnerability is still critical. If an attacker manages to exploit nova-compute, it is likely possible to exfiltrate disks and potentially also volumes from other workload running on the same or potentially also other hypervisors.
A new stable release 0.20240703.0 (which is the same as 0.20240628.0 with only the patches applied) has been published today. You can upgrade to that release simply by updating your operators.
In case you have a large fleet of nova compute nodes, you may want to follow the following procedure in order to speed up the process:
– NOTE: This procedure bypasses several safety mechansims within YAOOK. Use at your own risk! It is similar to the impact of using yaookctl force-upgrade on all compute nodes.