CVE-2015-2687
medium
CVSS v3
4.7
CVSS v2
1.9
VIR risk
4.7
Description
OpenStack Compute (nova) Icehouse, Juno and Havana when live migration fails allows local users to access VM volumes that they would normally not have permissions for.
Predictions
Exploit likelihood
47%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2015-2687
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2014.1-1 |
| debian | bullseye | fixed | 2014.1-1 |
| debian | forky | fixed | 2014.1-1 |
| debian | sid | fixed | 2014.1-1 |
| debian | trixie | fixed | 2014.1-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | nova | <15.0.0.0b1 | 15.0.0.0b1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| openstack | compute | 2013.2 | |
| openstack | compute | 2013.2.1 | |
| openstack | compute | 2013.2.2 | |
| openstack | compute | 2013.2.3 | |
| openstack | compute | 2013.2.4 | |
| openstack | compute | 2014.1 | |
| openstack | compute | 2014.1.1 | |
| openstack | compute | 2014.1.2 | |
| openstack | compute | 2014.1.3 | |
| openstack | compute | 2014.1.4 | |
| openstack | compute | 2014.1.5 | |
| openstack | compute | 2014.2 | |
| openstack | compute | 2014.2.1 | |
| openstack | compute | 2014.2.2 | |
| openstack | compute | 2014.2.3 | |
| openstack | compute | 2014.2.4 | |
References
- http://www.openwall.com/lists/oss-security/2015/03/24/10
- http://www.openwall.com/lists/oss-security/2015/03/25/3
- http://www.securityfocus.com/bid/77505
- https://bugs.launchpad.net/nova/+bug/1419577
- https://bugzilla.redhat.com/show_bug.cgi?id=1205313
- https://review.openstack.org/#/c/338929/
- https://nvd.nist.gov/vuln/detail/CVE-2015-2687
- https://github.com/openstack/nova/commit/b83cae02ece4c338e09c3606c6ae69b715bd6f8c
- https://github.com/openstack/nova
- https://github.com/pypa/advisory-database/tree/main/vulns/nova/PYSEC-2017-145.yaml
- https://review.openstack.org/#/c/338929
- https://security-tracker.debian.org/tracker/CVE-2015-2687
CWEs
CWE-284
Verify integrity in audit chain (admin only). AS-IS.