[OSSA 2013-030] xenapi migrations don't apply security group filters (CVE-2013-4497)

This seems to have got fixed by the work on:
https://bugs.launchpad.net/nova/+bug/1073303

Sorry for the clash, but would really appreciate you checking I have made the same changes.

No problem.

This bug also affects live migration, and that's what I had been working on. Does your patch fix the problem for live migration too?

The bug tracking live migration is bug 1202266

Shall be a common OSSA with 1202266

John/Euan, can you confirm that https://review.openstack.org/#/c/38455/ will fix this once it is merged?

If so, we should merge the defects and update the flags to ensure that https://bugs.launchpad.net/nova/+bug/1073303 is high priority.

https://review.openstack.org/#/c/38455/
As mentioned in the commit, will fix both this and:
https://bugs.launchpad.net/nova/+bug/1073303

They are quite different bugs, fixed by the same tidy up (sharing more code between spawn and finish_migrate).

It will not fix:
https://bugs.launchpad.net/nova/+bug/1202266

I didn't consider this high, because it is a side feature, but that is debatable I guess.

In response to Thierry's comment #4, I'm unsure how we'll be able to issue a common OSSA if the proposed fix does not address bug 1202266. Should we hold the advisory until such time as fixes for both are ready, or do they need to diverge?

@Jeremy: given that this is public, if one is really ready before the other, then they probably need to diverge. Maybe we should mention the live-migration issue in the migration CVE so that people know the workaround (reapply security groups after live migration).

+1

I will try get someone to look at the live-migrate issue in the XAPI meeting, if not in progress before that.

The proposedfix for this vulnerability is last in a series of 6 relatively substantial changes for nova, none of which currently have any core reviews on them whatsoever. Are all these patches granted a freeze exception, or would it be possible to divorce this fix from some/all of the other changes in that series to expedite resolution so we can publish an advisory?

Reviewed: https://review.openstack.org/38455
Committed: http://github.com/openstack/nova/commit/ba0d007fb78bd1182c3c0b808dbd7ccc84640e80
Submitter: Jenkins
Branch: master

commit ba0d007fb78bd1182c3c0b808dbd7ccc84640e80
Author: John Garbutt <email address hidden>
Date: Wed Jul 24 13:15:03 2013 +0100

    xenapi: ensure finish_migration cleans on errors

    This change makes finish_migration share code with spawn.

    This fixes some inconsistencies, such as applying the security
    group filters during finish_migration.

    Fixes bug 1073303
    Fixes bug 1073306

    Change-Id: Ib4f2a96618692c141708535f9463c856f3395922

Great! Does this also effect Grizzly? Folsom? (Need backports for those if so.) Also if it affects Essex or earlier, that will incluence the wording in the impact description somewhat as well.

Any information on which stable release branches are/were affected by this (if any)? We'll want bug tasks and backports for them as far back as folsom if possible.

So, I think this has been an issue since essex, when security groups and migration were both present:
https://blueprints.launchpad.net/nova/+spec/xenapi-security-groups

It hasn't really been tested much since then mind :(

We will need a simpler fix to backport, but its really just a cut and paste from the spawn code to the finish_migrate (which is the issue I fixed with my patch).

@ Jeremy Stanley (fungi) this also applies to resizes, so a resize would also drop the firewall rules.

This is a pain to backport given the changes, gone for a possible minimal fix:

https://review.openstack.org/#/c/52991/

https://review.openstack.org/#/c/52992/

Proposed impact description (covers this bug and bug 1202266):
----
Title: XenAPI security groups not kept through migrate or resize
Reporter: Chris Behrens (Rackspace) and Vangelis Tasoulas
Products: Nova
Affects: all releases

Description:
Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of vulnerabilities in OpenStack Nova. When migrating or resizing a virtual machine, security groups may not be applied after the operation completes. Only setups using the XenAPI backend are affected. This issue also affects live migrations, introduced in the Folsom (2012.2) release.

I would say "affects: Folsom, Grizzly" and precise that Havana is not affected.

also maybe "existing security groups may not be reapplied"

I would also add a sentence about impact (instances not as protected as one may think)

Updated impact description (covers this bug and bug 1202266):
----
Title: XenAPI security groups not kept through migrate or resize
Reporter: Chris Behrens (Rackspace) and Vangelis Tasoulas
Products: Nova
Affects: Folsom, Grizzly

Description:
Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of vulnerabilities in OpenStack Nova. When migrating or resizing an instance, including live migration, existing security groups may not be reapplied after the operation completes. This can lead to unintentional network exposure for virtual machines. Only setups using the XenAPI backend are affected.

Impact desc looks good to me.

Reviewed: https://review.openstack.org/52991
Committed: http://github.com/openstack/nova/commit/01de658210fd65171bfbf5450c93673b5ce0bd9e
Submitter: Jenkins
Branch: stable/grizzly

commit 01de658210fd65171bfbf5450c93673b5ce0bd9e
Author: John Garbutt <email address hidden>
Date: Mon Oct 21 19:34:43 2013 +0100

    xenapi: apply firewall rules in finish_migrate

    When security groups were added, the rules were not re-applied to
    servers that have been migrated to a new hypervisor.

    This change ensures the firewall rules are applied as part of creating
    the new VM in finish_migrate. This code follows a very similar pattern
    to the code in spawn, and that is where the cut and paste code comes
    from. This code duplication was removed in Havana.

    Fixes bug 1073306

    Change-Id: I6295a782df328a759e358fb82b76dd3f7bd4b39e

Finalized impact description being used in advisory (also covers bug 1202266):
----
Title: XenAPI security groups not kept through migrate or resize
Reporter: Chris Behrens (Rackspace) and Vangelis Tasoulas
Products: Nova
Affects: All supported versions prior to Havana

Description:
Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of vulnerabilities in OpenStack Nova's XenAPI hypervisor backend. When migrating or resizing an instance, including live migration, existing security groups may not be reapplied after the operation completes. This can lead to unintentional network exposure for virtual machines. Only setups using the XenAPI backend are affected.

[OSSA 2013-030]