CVE-2014-5247

Name of the Vulnerable Software and Affected Versions Ganeti versions 2.10.0 through 2.10.6 Ganeti versions 2.11.0 through 2.11.4

Description The issue allows local users to obtain sensitive information, including SSL keys and remote API credentials, by reading a configuration backup file. This is related to the upgrade command and is due to the use of world-readable permissions for the configuration backup file by the UpgradeBeforeConfigurationChange function in lib/client/gnt cluster.py.

Recommendations For Ganeti versions 2.10.0 through 2.10.6, update to version 2.10.7 or later. For Ganeti versions 2.11.0 through 2.11.4, update to version 2.11.5 or later. As a temporary workaround, consider restricting access to the configuration backup file to minimize the risk of exploitation.