製品・ソフトウェアに関する情報

JVN脆弱性詳細

OpenStack Compute (Nova) における任意のファイルを上書きされる脆弱性

Title	OpenStack Compute (Nova) における任意のファイルを上書きされる脆弱性
Summary	OpenStack Compute (Nova) Folsom (2012.2)、Essex (2012.1) および Diablo (2011.3) の virt/disk/api.py には、任意のファイルを上書きされる脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、画像内のファイル上のシンボリックリンク攻撃を介して、任意のファイルを上書きされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 20, 2012, midnight
Registration Date	July 24, 2012, 4:38 p.m.
Last Update	Sept. 4, 2012, 5:51 p.m.

Affected System

OpenStack

OpenStack Compute Nova Folsom (2012.2)

OpenStack Diablo (2011.3)

OpenStack Essex (2012.1)

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-3361	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3361
National Vulnerability Database (NVD)
2	CVE-2012-3361	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3361

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
Fedora Update Notification
1	FEDORA-2012-10418	http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083969.html
2	FEDORA-2012-10420	http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html
GitHub
3	Prevent file injection writing to host filesystem - 2427d4a	https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7
4	Prevent file injection writing to host filesystem - b0feaff	https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9
Launchpad
5	Remote arbitrary file corruption / creation flaw via injected files	https://bugs.launchpad.net/nova/+bug/1015531
OpenStack
6	Change I134c4025: Prevent key/net/md injection writing to host fs	https://review.openstack.org/#/c/9268/
Ubuntu Security Notice
7	USN-1497-1	http://www.ubuntu.com/usn/USN-1497-1/

Change Log

No	Changed Details	Date of change
0	[2012年07月24日] 掲載 [2012年09月04日] ベンダ情報：Fedora Project (FEDORA-2012-10420) を追加ベンダ情報：Fedora Project (FEDORA-2012-10418) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2012-3361

Summary	virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image.
Publication Date	July 23, 2012, 1:55 a.m.
Registration Date	Jan. 28, 2021, 3 p.m.
Last Update	Nov. 21, 2024, 10:40 a.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083969.html
2	http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083969.html
3	http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html
4	http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html
5	http://secunia.com/advisories/49763	Vendor Advisory
6	http://secunia.com/advisories/49763	Vendor Advisory
7	http://secunia.com/advisories/49802	Vendor Advisory
8	http://secunia.com/advisories/49802	Vendor Advisory
9	http://www.securityfocus.com/bid/54278
10	http://www.securityfocus.com/bid/54278
11	http://www.ubuntu.com/usn/USN-1497-1
12	http://www.ubuntu.com/usn/USN-1497-1
13	https://bugs.launchpad.net/nova/+bug/1015531
14	https://bugs.launchpad.net/nova/+bug/1015531
15	https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7	Exploit Patch
16	https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7	Exploit Patch
17	https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9	Exploit Patch
18	https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9	Exploit Patch
19	https://lists.launchpad.net/openstack/msg14089.html
20	https://lists.launchpad.net/openstack/msg14089.html
21	https://review.openstack.org/#/c/9268/
22	https://review.openstack.org/#/c/9268/

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html