Medium severity4.7NVD Advisory· Published Aug 9, 2017· Updated May 13, 2026

CVE-2015-2687

Description

OpenStack Compute (nova) Icehouse, Juno and Havana when live migration fails allows local users to access VM volumes that they would normally not have permissions for.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
novaPyPI	< 15.0.0.0b1	15.0.0.0b1

Affected products

OpenStack/Compute16 versions
cpe:2.3:a:openstack:compute:2013.2:*:*:*:*:*:*:*+ 15 more
- cpe:2.3:a:openstack:compute:2013.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2014.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2014.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2014.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2014.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2014.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2014.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2014.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2014.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2014.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2014.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2014.2.4:*:*:*:*:*:*:*

Patches

b83cae02ece4

block_device: Make refresh_conn_infos py3 compatible

https://github.com/openstack/novaLee YarwoodJul 14, 2016via ghsa

commit

2 files changed · +38 −4

nova/tests/unit/virt/test_block_device.py+33 −0 modified

@@ -1052,3 +1052,36 @@ def test_get_volume_create_az_cinder_cross_az_attach_true(self):
         instance = fake_instance.fake_instance_obj(self.context, **updates)
         self.assertIsNone(
             driver_block_device._get_volume_create_az_value(instance))
+
+    def test_refresh_conn_infos(self):
+        # Only DriverVolumeBlockDevice derived devices should refresh their
+        # connection_info during a refresh_conn_infos call.
+        test_volume = mock.MagicMock(
+            spec=driver_block_device.DriverVolumeBlockDevice)
+        test_image = mock.MagicMock(
+            spec=driver_block_device.DriverImageBlockDevice)
+        test_snapshot = mock.MagicMock(
+            spec=driver_block_device.DriverSnapshotBlockDevice)
+        test_blank = mock.MagicMock(
+            spec=driver_block_device.DriverBlankBlockDevice)
+        test_eph = mock.MagicMock(
+            spec=driver_block_device.DriverEphemeralBlockDevice)
+        test_swap = mock.MagicMock(
+            spec=driver_block_device.DriverSwapBlockDevice)
+        block_device_mapping = [test_volume, test_image, test_eph,
+                                test_snapshot, test_swap, test_blank]
+        driver_block_device.refresh_conn_infos(block_device_mapping,
+                                               mock.sentinel.refresh_context,
+                                               mock.sentinel.refresh_instance,
+                                               mock.sentinel.refresh_vol_api,
+                                               mock.sentinel.refresh_virt_drv)
+        for test_mock in [test_volume, test_image, test_snapshot, test_blank]:
+            test_mock.refresh_connection_info.assert_called_once_with(
+                mock.sentinel.refresh_context,
+                mock.sentinel.refresh_instance,
+                mock.sentinel.refresh_vol_api,
+                mock.sentinel.refresh_virt_drv)
+        # NOTE(lyarwood): Can't think of a better way of testing this as we
+        # can't assert_not_called if the method isn't in the spec.
+        self.assertFalse(hasattr(test_eph, 'refresh_connection_info'))
+        self.assertFalse(hasattr(test_swap, 'refresh_connection_info'))

nova/virt/block_device.py+5 −4 modified

@@ -14,7 +14,6 @@
 
 import functools
 import itertools
-import operator
 
 from oslo_log import log as logging
 from oslo_serialization import jsonutils
@@ -514,9 +513,11 @@ def _log_and_attach(bdm):
 
 
 def refresh_conn_infos(block_device_mapping, *refresh_args, **refresh_kwargs):
-    map(operator.methodcaller('refresh_connection_info',
-                              *refresh_args, **refresh_kwargs),
-        block_device_mapping)
+    for device in block_device_mapping:
+        # NOTE(lyarwood): At present only DriverVolumeBlockDevice derived
+        # devices provide a refresh_connection_info method.
+        if hasattr(device, 'refresh_connection_info'):
+            device.refresh_connection_info(*refresh_args, **refresh_kwargs)
     return block_device_mapping

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.openwall.com/lists/oss-security/2015/03/24/10nvdMailing ListThird Party AdvisoryWEB
www.openwall.com/lists/oss-security/2015/03/25/3nvdMailing ListThird Party AdvisoryWEB
www.securityfocus.com/bid/77505nvdThird Party AdvisoryVDB Entry
bugs.launchpad.net/nova/+bug/1419577nvdIssue TrackingThird Party AdvisoryVDB EntryWEB
bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-97fv-22hc-mrgjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2015-2687ghsaADVISORY
review.openstack.orgnvdThird Party Advisory
github.com/openstack/nova/commit/b83cae02ece4c338e09c3606c6ae69b715bd6f8cghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/nova/PYSEC-2017-145.yamlghsaWEB
review.openstack.orgghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.306
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000