Comment 22 for bug 1015531

Proposed Impact description:

Title: Arbitrary file injection/corruption through directory traversal issues
Impact: Critical
Reporter: Matthias Weckbecker (SUSE Security team), Pádraig Brady (RedHat)
Products: Nova
Affects: All versions

Description:
Matthias Weckbecker from SUSE Security team reported a vulnerability in Nova compute nodes handling of file injection in disk images. By requesting files to be injected in malicious paths, a remote authenticated user could inject files in arbitrary locations on the host file system, potentially resulting in full compromise of the compute node. Only Essex and later setups running the OpenStack API over libvirt-based hypervisors are affected.

Upon further inspection of the code, Pádraig Brady from RedHat found an additional vulnerability. By crafting a malicious image and requesting an instance based on it, a remote authenticated user may corrupt arbitrary files on the host filesystem, potentially resulting in a denial of service. This affects all setups.