From the ‘Update or Fail’ files:
A simple truth that many open source platform users know well is that often initial releases still have (a few) bugs. Real world usage tends to shake things out better than any beta or dev process ever could.
With the open source OpenStack cloud platform, the most recent Folsom release debuted in September of 2012. It is now being updated to version 2012.2.3, fixing at least 51 known bugs and at least two serious security issues.
The top security issue in my view is one that affects the core Nova compute volume and is incredibly serious. Identified as CVE-2013-0208 – Boot from volume allows access to random volumes.
“Boot from volume allows a volume to be passed to the create method via the block_device_mapping parameter,” the bug reportstates. “This parameter is not validated as having to be a volume belonging to the user creating the instance, so providing I know the valid ID of a volume belonging to another user I can create VM and gain access to that volume (c.f volume attachment which does make explicit checks for both the ownership and status of a volume).”
Yeah, that’s right – an epic fail if this was ever weaponized or exploited in the wild.
The second high-impact security issue fixed CVE-2013-0212 – deals with a leaked Glance password risk.
“It appears that Glance can return a 404 message which contains the backend Swift store password when there are errors obtaining the image from Swift,” the bug report states.
Umm hello? yeah another serious issue.
In any event that’s why users of OpenStack and hey let’s face it, any modern software, need to update regularly and be wary of initial releases for mission critical production workloads.