data from previous tenants accessible with nova baremetal
Bug #1174153 reported by
Robert Collins
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Fix Released
|
High
|
Josh Gachnang | ||
OpenStack Compute (nova) |
Fix Released
|
High
|
Josh Gachnang | ||
OpenStack Security Notes |
Fix Released
|
High
|
Robert Clark |
Bug Description
At the moment the baremetal driver resets the partition table on the first hard disk, but doesn't wipe the data. This has two holes: other disks have their partition tables preserved; tenant data is able to be read by the new instance.
Wiping disks can be slow (particularly in cases where TRIM cannot be relied on), so we probably want to only do it when the new instance is for a new tenant.
Changed in ossn: | |
importance: | Undecided → High |
assignee: | nobody → Robert Clark (robert-clark) |
Changed in ironic: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in nova: | |
status: | Incomplete → Won't Fix |
Changed in nova: | |
assignee: | nobody → Josh Gachnang (joshnang) |
status: | Won't Fix → In Progress |
Changed in ironic: | |
milestone: | none → kilo-3 |
Changed in ironic: | |
status: | Triaged → In Progress |
assignee: | nobody → Josh Gachnang (josh-gachnang) |
assignee: | Josh Gachnang (josh-gachnang) → Josh Gachnang (joshnang) |
Changed in nova: | |
assignee: | Josh Gachnang (joshnang) → Jim Rollenhagen (jim-rollenhagen) |
Changed in ironic: | |
status: | In Progress → Fix Committed |
Changed in ironic: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | kilo-3 → kilo-rc1 |
Changed in nova: | |
status: | In Progress → Won't Fix |
Changed in nova: | |
assignee: | Jim Rollenhagen (jim-rollenhagen) → Josh Gachnang (joshnang) |
Changed in nova: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | kilo-rc1 → 2015.1.0 |
Changed in ironic: | |
milestone: | kilo-3 → 2015.1.0 |
To post a comment you must log in.
Looks like a pretty significant vulnerability to me, or am I missing something ?