live_migrate task ignores extra_specs
Bug #1224014 reported by
Bob Ball
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Undecided
|
Hans Lindgren | ||
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned |
Bug Description
The new live_migrate task in the conductor does not pass extra_specs from the flavor through to the filters - thus giving an incorrect result.
This showed up when using the TrustedFilter which depends on extra_specs (set by nova.scheduler.
Marked as a security vulnerability as it means that the use of live migration will bypass filters intended to provide a secure environment such as TrustedFilter.
information type: | Private Security → Public |
Changed in ossa: | |
status: | Incomplete → Invalid |
Changed in nova: | |
milestone: | none → icehouse-1 |
Changed in nova: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | icehouse-1 → 2014.1 |
To post a comment you must log in.
I'm a little fuzzy on the risk boundaries this crosses and to what degree it's exploitable--can you provide an example exploit scenario for this vulnerability? Also, when you refer to it as "the new live_migrate task" does this mean it's only in master/ milestone- proposed/ havana and not affecting any stable release branches?