[OSSA 2013-030] xenapi migrations don't apply security group filters (CVE-2013-4497)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | OpenStack Compute (nova) |
High
|
John Garbutt | ||
| | Grizzly |
High
|
John Garbutt | ||
| | OpenStack Security Advisory |
High
|
Jeremy Stanley | ||
Bug Description
xenapi's finish_migration() is missing code to apply security group rules, etc. There's code in spawn() that appears we need to also use in finish_migration().
(Somewhat related, see: https:/
CVE References
| Changed in nova: | |
| importance: | Undecided → Medium |
| status: | New → Triaged |
| tags: | added: xenserver |
| Changed in nova: | |
| assignee: | nobody → Euan Harris (euanh) |
| Changed in nova: | |
| status: | Triaged → In Progress |
| John Garbutt (johngarbutt) wrote : | #1 |
| Changed in nova: | |
| assignee: | Euan Harris (euanh) → John Garbutt (johngarbutt) |
| Euan Harris (euanh) wrote : | #2 |
No problem.
This bug also affects live migration, and that's what I had been working on. Does your patch fix the problem for live migration too?
| Thierry Carrez (ttx) wrote : | #3 |
The bug tracking live migration is bug 1202266
| information type: | Public → Public Security |
| Thierry Carrez (ttx) wrote : | #4 |
Shall be a common OSSA with 1202266
| Changed in ossa: | |
| importance: | Undecided → High |
| status: | New → Confirmed |
| Bob Ball (bob-ball) wrote : | #5 |
John/Euan, can you confirm that https:/
If so, we should merge the defects and update the flags to ensure that https:/
| John Garbutt (johngarbutt) wrote : | #6 |
https:/
As mentioned in the commit, will fix both this and:
https:/
They are quite different bugs, fixed by the same tidy up (sharing more code between spawn and finish_migrate).
It will not fix:
https:/
I didn't consider this high, because it is a side feature, but that is debatable I guess.
| Jeremy Stanley (fungi) wrote : | #7 |
In response to Thierry's comment #4, I'm unsure how we'll be able to issue a common OSSA if the proposed fix does not address bug 1202266. Should we hold the advisory until such time as fixes for both are ready, or do they need to diverge?
| Thierry Carrez (ttx) wrote : | #8 |
@Jeremy: given that this is public, if one is really ready before the other, then they probably need to diverge. Maybe we should mention the live-migration issue in the migration CVE so that people know the workaround (reapply security groups after live migration).
| Changed in nova: | |
| milestone: | none → havana-rc1 |
| John Garbutt (johngarbutt) wrote : | #9 |
+1
I will try get someone to look at the live-migrate issue in the XAPI meeting, if not in progress before that.
| Changed in nova: | |
| importance: | Medium → High |
| Changed in ossa: | |
| assignee: | nobody → Jeremy Stanley (fungi) |
| Jeremy Stanley (fungi) wrote : | #10 |
The proposedfix for this vulnerability is last in a series of 6 relatively substantial changes for nova, none of which currently have any core reviews on them whatsoever. Are all these patches granted a freeze exception, or would it be possible to divorce this fix from some/all of the other changes in that series to expedite resolution so we can publish an advisory?
Reviewed: https:/
Committed: http://
Submitter: Jenkins
Branch: master
commit ba0d007fb78bd11
Author: John Garbutt <email address hidden>
Date: Wed Jul 24 13:15:03 2013 +0100
xenapi: ensure finish_migration cleans on errors
This change makes finish_migration share code with spawn.
This fixes some inconsistencies, such as applying the security
group filters during finish_migration.
Fixes bug 1073303
Fixes bug 1073306
Change-Id: Ib4f2a96618692c
| Changed in nova: | |
| status: | In Progress → Fix Committed |
Great! Does this also effect Grizzly? Folsom? (Need backports for those if so.) Also if it affects Essex or earlier, that will incluence the wording in the impact description somewhat as well.
| Changed in nova: | |
| status: | Fix Committed → Fix Released |
| Jeremy Stanley (fungi) wrote : | #13 |
Any information on which stable release branches are/were affected by this (if any)? We'll want bug tasks and backports for them as far back as folsom if possible.
| Changed in nova: | |
| milestone: | havana-rc1 → 2013.2 |
| John Garbutt (johngarbutt) wrote : | #14 |
So, I think this has been an issue since essex, when security groups and migration were both present:
https:/
It hasn't really been tested much since then mind :(
We will need a simpler fix to backport, but its really just a cut and paste from the spawn code to the finish_migrate (which is the issue I fixed with my patch).
| tags: | added: folsom-backport-potential grizzly-backport-potential |
| John Garbutt (johngarbutt) wrote : | #15 |
@ Jeremy Stanley (fungi) this also applies to resizes, so a resize would also drop the firewall rules.
| John Garbutt (johngarbutt) wrote : | #16 |
This is a pain to backport given the changes, gone for a possible minimal fix:
| Jeremy Stanley (fungi) wrote : | #17 |
Proposed impact description (covers this bug and bug 1202266):
----
Title: XenAPI security groups not kept through migrate or resize
Reporter: Chris Behrens (Rackspace) and Vangelis Tasoulas
Products: Nova
Affects: all releases
Description:
Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of vulnerabilities in OpenStack Nova. When migrating or resizing a virtual machine, security groups may not be applied after the operation completes. Only setups using the XenAPI backend are affected. This issue also affects live migrations, introduced in the Folsom (2012.2) release.
| Changed in ossa: | |
| status: | Confirmed → Triaged |
| Thierry Carrez (ttx) wrote : | #18 |
I would say "affects: Folsom, Grizzly" and precise that Havana is not affected.
also maybe "existing security groups may not be reapplied"
I would also add a sentence about impact (instances not as protected as one may think)
| Jeremy Stanley (fungi) wrote : | #19 |
Updated impact description (covers this bug and bug 1202266):
----
Title: XenAPI security groups not kept through migrate or resize
Reporter: Chris Behrens (Rackspace) and Vangelis Tasoulas
Products: Nova
Affects: Folsom, Grizzly
Description:
Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of vulnerabilities in OpenStack Nova. When migrating or resizing an instance, including live migration, existing security groups may not be reapplied after the operation completes. This can lead to unintentional network exposure for virtual machines. Only setups using the XenAPI backend are affected.
| Thierry Carrez (ttx) wrote : | #20 |
Impact desc looks good to me.
Reviewed: https:/
Committed: http://
Submitter: Jenkins
Branch: stable/grizzly
commit 01de658210fd651
Author: John Garbutt <email address hidden>
Date: Mon Oct 21 19:34:43 2013 +0100
xenapi: apply firewall rules in finish_migrate
When security groups were added, the rules were not re-applied to
servers that have been migrated to a new hypervisor.
This change ensures the firewall rules are applied as part of creating
the new VM in finish_migrate. This code follows a very similar pattern
to the code in spawn, and that is where the cut and paste code comes
from. This code duplication was removed in Havana.
Fixes bug 1073306
Change-Id: I6295a782df328a
| Changed in ossa: | |
| status: | Triaged → In Progress |
| summary: |
- xenapi migrations don't apply security group filters + xenapi migrations don't apply security group filters (CVE-2013-4497) |
| no longer affects: | nova/folsom |
| Jeremy Stanley (fungi) wrote : Re: xenapi migrations don't apply security group filters (CVE-2013-4497) | #22 |
Finalized impact description being used in advisory (also covers bug 1202266):
----
Title: XenAPI security groups not kept through migrate or resize
Reporter: Chris Behrens (Rackspace) and Vangelis Tasoulas
Products: Nova
Affects: All supported versions prior to Havana
Description:
Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of vulnerabilities in OpenStack Nova's XenAPI hypervisor backend. When migrating or resizing an instance, including live migration, existing security groups may not be reapplied after the operation completes. This can lead to unintentional network exposure for virtual machines. Only setups using the XenAPI backend are affected.
| Changed in ossa: | |
| status: | In Progress → Fix Committed |
| Thierry Carrez (ttx) wrote : | #23 |
[OSSA 2013-030]
| Changed in ossa: | |
| status: | Fix Committed → Fix Released |
| summary: |
- xenapi migrations don't apply security group filters (CVE-2013-4497) + [OSSA 2013-030] xenapi migrations don't apply security group filters + (CVE-2013-4497) |
| tags: | removed: folsom-backport-potential grizzly-backport-potential |
This seems to have got fixed by the work on:
https:/
Sorry for the clash, but would really appreciate you checking I have made the same changes.