[OSSA 2013-019] Resource limit circumvention in Nova private flavors (CVE-2013-2256)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Critical
|
Russell Bryant | ||
Grizzly |
Fix Released
|
Critical
|
Russell Bryant | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Jeremy Stanley |
Bug Description
i want to display the bug as follows:
make sure the role is admin: source devstack/openrc admin admin
i create a private flavor as follows:
nova flavor-create test1 7 512 4 2
make sure the role is demo: source devstack/openrc demo demo
ok,now i use 'nova flavor-list'
+----+-
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public | extra_specs |
+----+-
| 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True | {u'ecus_per_vcpu:': u'1'} |
| 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True | {u'ecus_per_vcpu:': u'1'} |
| 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True | {u'ecus_per_vcpu:': u'1'} |
+----+-
but,when i use 'nova flavor-show' :
nova flavor-show 7
+------
| Property | Value |
+------
| OS-FLV-
| OS-FLV-
| disk | 4 |
| extra_specs | {} |
| id | 7 |
| name | test1 |
| os-flavor-
| ram | 512 |
| rxtx_factor | 1.0 |
| swap | |
| vcpus | 2 |
+------
so,the demo can boot a new instance with the private flavor.i want to prevent other tenants accessing my private flavor, such as the command: nova flavor-show , only on this way can we prevent the other tenants use my private flavors to create instance.
ok,i modfiy the codes in 'nova/api/
def show(self, req, id):
"""Return data about the given flavor id."""
try:
context = req.environ[
flavor = instance_
if not context.is_admin:
flavors = self._get_
for k in flavors:
if k.get('flavorid', None) != flavor.
if flavor_is_not:
raise webob.exc.
req.
except exception.NotFound:
raise webob.exc.
return self._view_
CVE References
tags: | added: api |
Changed in nova: | |
assignee: | nobody → Russell Bryant (russellb) |
Changed in ossa: | |
status: | Triaged → In Progress |
summary: |
- Other tenants can access my private flavor. + Resource limit circumvention in Nova private flavors (CVE-2013-2256) |
Changed in nova: | |
status: | Fix Committed → Fix Released |
no longer affects: | tempest |
Changed in ossa: | |
status: | In Progress → Fix Committed |
summary: |
- Resource limit circumvention in Nova private flavors (CVE-2013-2256) + [OSSA 2013-019] Resource limit circumvention in Nova private flavors + (CVE-2013-2256) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | havana-2 → 2013.2 |
no longer affects: | nova/folsom |
I just reproduced this.
I created a non-public flavor as an admin:
$ . openrc admin
$ nova flavor-create test2 8 512 4 2 --is-public False
I switched to the regular user and could still see the flavor and start an instance with it. It was not included in "nova flavor-list".
$ . openrc ------- ------- ------- -+----- --+ ------- ------- ------- -+----- --+ DISABLED: disabled | False | access: is_public | False | EXT-DATA: ephemeral | 0 | ------- ------- ------- -+----- --+ ------- ------- ------- -+----- --+ ------- ------- ------- -+----- --+ DISABLED: disabled | False | access: is_public | True | EXT-DATA: ephemeral | 0 | ------- ------- ------- -+----- --+ edc3-47b3- 864c-2bef7cb08a 6b test ------- ------- ------- ------- ---+--- ------- ------- ------- ------- ------- + ------- ------- ------- ------- ---+--- ------- ------- ------- ------- ------- + STS:task_ state | scheduling | 0.3.1-x86_ 64-uec | SRV-ATTR: instance_ name | instance-00000003 | USG:launched_ at | None | b754-4e4d- 8d2b-4062f68865 c9 | ea336b5d3a0c152 88 | STS:power_ state | 0 | AZ:availability _zone | nova |
$ nova flavor-show 8
+------
| Property | Value |
+------
| name | test2 |
| ram | 512 |
| OS-FLV-
| vcpus | 2 |
| extra_specs | {} |
| swap | |
| os-flavor-
| rxtx_factor | 1.0 |
| OS-FLV-
| disk | 4 |
| id | 8 |
+------
[rbryant@devstack devstack]$ nova flavor-show 7
+------
| Property | Value |
+------
| name | test1 |
| ram | 512 |
| OS-FLV-
| vcpus | 2 |
| extra_specs | {} |
| swap | |
| os-flavor-
| rxtx_factor | 1.0 |
| OS-FLV-
| disk | 4 |
| id | 7 |
+------
[rbryant@devstack devstack]$ nova boot --flavor 8 --image e1f736ac-
+------
| Property | Value |
+------
| OS-EXT-
| image | cirros-
| OS-EXT-STS:vm_state | building |
| OS-EXT-
| OS-SRV-
| flavor | test2 |
| id | 66c6c9df-
| security_groups | [{u'name': u'default'}] |
| user_id | d188cab557114a0
| OS-DCF:diskConfig | MANUAL |
| accessIPv4 | |
| accessIPv6 | |
| progress | 0 |
| OS-EXT-
| OS-EXT-
| config_drive | |
| status | BUILD ...