A vulnerability in OpenStack’s Nova component has been identified, potentially allowing hackers to gain unauthorized access to cloud servers.
This vulnerability, tracked as CVE-2024-40767, affects multiple versions of Nova and poses a serious risk to cloud infrastructure worldwide.
CVE-2024-40767– OpenStack Nova Vulnerability
Arnaud Morin of OVH discovered the vulnerability, which affects Nova versions less than 27.4.1, between 28.0.0 and 28.2.1, and between 29.0.0 and 29.1.1.
According to the OpenStack report, an authenticated user can exploit this flaw by supplying a raw format image that is a specially crafted QCOW2 image with a backing file path or a VMDK flat image with a descriptor file path.
This manipulation can convince systems to return a copy of the referenced file’s contents from the server, resulting in unauthorized access to potentially sensitive data.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Impact and Mitigation
All Nova deployments are affected by this vulnerability, making it imperative for administrators to take immediate action. The potential impact includes unauthorized access to sensitive data, which could lead to data breaches and other security incidents.
To mitigate this vulnerability, patches have been made available for different versions of Nova:
- Patch for 2023.1/antelope
- Patch for 2023.2/bobcat
- Patch for 2024.1/caracal
- Patch for 2024.2/dalmatian
Administrators are strongly advised to apply these patches immediately to secure their systems against potential exploitation. Arnaud Morin from OVH, who reported the vulnerability, has been credited for his discovery.
The OpenStack community has responded swiftly by releasing the necessary patches and providing detailed guidance on securing affected systems.
As cloud technology continues to evolve, maintaining robust security measures remains crucial. The discovery and prompt addressing of CVE-2024-40767 underscore the importance of vigilance and collaboration within the tech community to safeguard digital infrastructure.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo