YAOOK Security Advisory for CVE-2024-32498

• Date: 2024-07-02
• Upstream advisory: https://security.openstack.org/ossa/OSSA-2024-001.html
• Upstream bug report: https://bugs.launchpad.net/bugs/2059809

What is CVE-2022-47951 and how does it affect YAOOK?

Is my cluster vulnerable?

The following images are vulnerable:

• cinder images before version 2.0.86
• glance images before 1.1.117
• nova images before 1.1.86
• nova-compute images before 4.1.114

If any of these images are used in your cluster, the cluster is vulnerable.

Mitigating factors

As all OpenStack services deployed via YAOOK run inside containers, the exposure possibilities are more limited than in non-containerized OpenStack deployments.

However, the vulnerability is still critical. If an attacker manages to exploit nova-compute, it is likely possible to exfiltrate disks and potentially also volumes from other workload running on the same or potentially also other hypervisors.

Upgrading

A new stable release 0.20240703.0 (which is the same as 0.20240628.0 with only the patches applied) has been published today. You can upgrade to that release simply by updating your operators.

In case you have a large fleet of nova compute nodes, you may want to follow the following procedure in order to speed up the process:

– NOTE: This procedure bypasses several safety mechansims within YAOOK. Use at your own risk! It is similar to the impact of using yaookctl force-upgrade on all compute nodes.

1. Update all operators except the nova-compute-operator to the new release.
2. Reduce the replica count of the nova-compute-operator deployment to 0.
3. For each NovaComputeNode nova-compute statefulset, update the nova-compute image version to 4.1.114.
4. Wait for the StatefulSets to settle.
5. Update the nova-compute operator, while making sure that it is scaled back up to 1 replica.