Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk OpenStack Vulnerability with
iSCSI or FC based volumes. CVE-2023-2088 [EGI-SVG-CVE-2023-2088]
Date: 2023-05-26
Updated: 2023-04-07
Affected software and risk
==========================
CRITICAL risk vulnerability concerning OpenStack
Package : OpenStack
CVE ID : CVE-2023-2088
CVSS Score : 9.1 [R 1]
A vulnerability has been reported in OpenStack concerning an inconsistency between
Cinder and Nova.
A remote, authenticated attacker could exploit this vulnerability by detaching one
of their volumes from Cinder. The highest impact is to confidentiality. [R 1]. [R 2]
Note that this only affects OpenStack with iSCSI or FC based volumes.
Actions required/recommended
============================
Sites running OpenStack should check whether their configuration is potentially
vulnerable, and whether they are running a vulnerable version of OpenStack.
If sites are vulnerable, they should update urgently (see 'more information' below),
if a fixed version is available for the version they are running.
Component installation information
==================================
Sites running RHEL should see [R 1]
Sites running CentOS should also see [R 1] [R 3]
Sites running Debian should see [R 4]
Sites running Ubuntu should see [R 5]
Sites running RockyLinux should see [R 6]
Sites running Almalinux should see [R 7]
Affected software details
=========================
See [R 2] for information on affected versions of OpenStack.
More information
================
Full details of the vulnerability and what is affected is available from OpenStack [R 2].
EGI SVG took another look at this, and noted that RedHat had raised the issue to 'Critical'.
We note that vulnerable sites are limited to sites supporting iSCSI and FC based volumes.
Attaching volumes is available as a functionality at EGI Cloud sites, so EGI Cloud sites running Openstack should check.
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for
distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2023-2088
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99]
[R 1] https://access.redhat.com/security/cve/CVE-2023-2088
[R 2] https://security.openstack.org/ossa/OSSA-2023-003.html
[R 3] https://lists.centos.org/pipermail/centos-announce/
[R 4] https://security-tracker.debian.org/tracker/CVE-2023-2088
[R 5] https://ubuntu.com/security/CVE-2023-2088
[R 6] https://errata.build.resf.org/
[R 7] https://errata.almalinux.org/
[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867
Credit
======
SVG was alerted to this vulnerability by Alexander Dibbo
Timeline
========
Yyyy-mm-dd [EGI-SVG-2023-CVE-2023-2088]
2023-05-11 SVG alerted to this issue by Alexander Dibbo
2023-05-11 Investigation and discussion of whether vulnerability in scope for EGI
2023-05-24 Took another look, and RedHat had made 'Critical'
2023-05-24 EGI SVG Risk Assessment completed
2023-05-26 Advisory sent to sites
2023-04-07 Advisory placed on advisories.egi.eu
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
This advisory is subject to the Creative commons licence
https://creativecommons.org/licenses/by/4.0/
and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited.
-----------------------------
On behalf of the EGI SVG,