CVE-2017-18191

NameCVE-2017-18191
DescriptionAn issue was discovered in OpenStack Nova 15.x through 15.1.0 and 16.x through 16.1.1. By detaching and reattaching an encrypted volume, an attacker may access the underlying raw volume and corrupt the LUKS header, resulting in a denial of service attack on the compute host. (The same code error also results in data loss, but that is not a vulnerability because the user loses their own data.) All Nova setups supporting encrypted volumes are affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nova (PTS)stretch (security), stretch2:14.0.0-4+deb9u1vulnerable
buster2:18.1.0-6fixed
bullseye, sid2:22.0.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
novasourcewheezy(unfixed)end-of-life
novasource(unstable)2:17.0.0-1

Notes

[stretch] - nova <no-dsa> (Minor issue)
[jessie] - nova <no-dsa> (Minor issue)
[wheezy] - nova <end-of-life> (Not supported in Wheezy)
https://launchpad.net/bugs/1739593
https://review.openstack.org/539893

Search for package or bug name: Reporting problems