OpenStack Compute (nova)

[OSSA 2013-024] nova should check the is_public of flavor when creating an instance

Bug #1212179 reported by Ken'ichi Ohmichi
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Critical
Russell Bryant
OpenStack Compute (nova) 2013.2 "havana"
Grizzly
Fix Released
Critical
Russell Bryant
OpenStack Compute (nova) 2013.1.4
OpenStack Security Advisory
Fix Released
High
Thierry Carrez

Bug Description

If creating a flavor with is_public "false", the flavor should be accessible only by admin or user who is granted to access.
Now "get flavor details" API checks the is_public of flavor but "create an instance" API does not check.
In the following case, a user (not admin) cannot access non-public flavor through "get flavor details" API, this is right behavior.
However, he can access non-public flavor through "create an instance" API.

=== admin ==============================================================
$ nova flavor-create --is-public false private-flavor 6 512 0 1
+----+----------------+-----------+------+-----------+------+-------+-------------+-----------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
+----+----------------+-----------+------+-----------+------+-------+-------------+-----------+
| 6 | private-flavor | 512 | 0 | 0 | | 1 | 1.0 | False |
+----+----------------+-----------+------+-----------+------+-------+-------------+-----------+
$
$ curl -i http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/flavors/5 -X GET -H "X-Auth-Project-Id: demo" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: [..]"
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 428
X-Compute-Request-Id: req-53ab8206-f458-441c-a0ca-d17e333f4247
Date: Wed, 14 Aug 2013 09:38:10 GMT

{"flavor": {"name": "m1.xlarge", "links": [{"href": "http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/flavors/5", "rel": "self"}, {"href": "http://192.168.0.30:8774/7a5c62d3cadb40d28e3c25acf7a05b05/flavors/5", "rel": "bookmark"}], "ram": 16384, "OS-FLV-DISABLED:disabled": false, "vcpus": 8, "swap": "", "os-flavor-access:is_public": true, "rxtx_factor": 1.0, "OS-FLV-EXT-DATA:ephemeral": 0, "disk": 160, "id": "5"}}
$

=== user("demo" user on devstack) ==============================================================
$ nova flavor-list
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| 1 | m1.tiny | 512 | 1 | 0 | | 1 | 1.0 | True |
| 2 | m1.small | 2048 | 20 | 0 | | 1 | 1.0 | True |
| 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True |
| 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True |
| 42 | m1.nano | 64 | 0 | 0 | | 1 | 1.0 | True |
| 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True |
| 84 | m1.micro | 128 | 0 | 0 | | 1 | 1.0 | True |
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
$
$ curl -i http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/flavors/6 -X GET -H "X-Auth-Project-Id: demo" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: [..]"
HTTP/1.1 404 Not Found
Content-Length: 78
Content-Type: application/json; charset=UTF-8
X-Compute-Request-Id: req-a7ac7e99-6d29-4893-97a7-6705083739df
Date: Wed, 14 Aug 2013 09:36:52 GMT

{"itemNotFound": {"message": "The resource could not be found.", "code": 404}}
$
$ curl -i http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/servers -X POST -H "X-Auth-Project-Id: demo" -H "User-Agent: python-novaclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: [..]" -d '{"server": {"min_count": 1, "flavorRef": "6", "name": "test-not-public", "imageRef": "428f795d-01b0-44c8-a162-9ad86d1fea35", "max_count": 1}}'
HTTP/1.1 202 Accepted
Location: http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/servers/91407b32-7ed1-4108-9e62-192b3312ff20
Content-Type: application/json
Content-Length: 440
X-Compute-Request-Id: req-7e561044-100a-4d70-8b83-cebd21dca8e2
Date: Wed, 14 Aug 2013 09:41:50 GMT

{"server": {"security_groups": [{"name": "default"}], "OS-DCF:diskConfig": "MANUAL", "id": "91407b32-7ed1-4108-9e62-192b3312ff20", "links": [{"href": "http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/servers/91407b32-7ed1-4108-9e62-192b3312ff20", "rel": "self"}, {"href": "http://192.168.0.30:8774/7a5c62d3cadb40d28e3c25acf7a05b05/servers/91407b32-7ed1-4108-9e62-192b3312ff20", "rel": "bookmark"}], "adminPass": "xvFhTwd3yAzE"}}
$ nova list
+--------------------------------------+-----------------+--------+------------+-------------+------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-----------------+--------+------------+-------------+------------------+
| 91407b32-7ed1-4108-9e62-192b3312ff20 | test-not-public | ACTIVE | None | Running | private=10.0.0.3 |
+--------------------------------------+-----------------+--------+------------+-------------+------------------+
$

OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: nobody → Ken'ichi Ohmichi (oomichi)
status: New → In Progress
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since the other instance of this problem resulted in issuing an advisory (OSSA 2013-019), I'm assuming this one warrants one as well. Opinions?

Changed in ossa:
status: New → Incomplete
information type: Public → Public Security
Revision history for this message
Thierry Carrez (ttx) wrote :

I suspect you are right.

Changed in ossa:
status: Incomplete → Confirmed
importance: Undecided → Medium
Revision history for this message
Russell Bryant (russellb) wrote :

Can you confirm that you're testing with a version that includes the fix for OSSA 2013-019 ? This sounds like a duplicate to me.

Revision history for this message
Thierry Carrez (ttx) wrote :

According to Russell that looks like a duplicate for bug 1194093, rather than a continuation: instance-create was fixed in OSSA 2013-019.

Ken'ichi Ohmichi: Could you check that you can reproduce the issue with current master branch ? Or one with http://github.com/openstack/nova/commit/b65d506a5f9d9b2b20777a9aceb44a8ffed6a5de in ?

Changed in ossa:
status: Confirmed → Incomplete
importance: Medium → Undecided
Revision history for this message
Ken'ichi Ohmichi (oomichi) wrote :

> Can you confirm that you're testing with a version that includes the fix for OSSA 2013-019 ?
> This sounds like a duplicate to me.

I have confirmed my environment including OSSA 2013-019(commit-id: b65d506a5f9d9b2b20777a9aceb44a8ffed6a5de).
On the environment, this problem happens.

Please see the part "user("demo" user on devstack)" of this report.
"show flavor" API (curl -i http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/flavors/6 -X GET) returns HTTP404 against not-public flavor.
However, "create instance" API (curl -i http://192.168.0.30:8774/v2/7a5c62d3cadb40d28e3c25acf7a05b05/servers -X POST) returns HTTP202, not 404.

This problem is related to OSSA 2013-019.
The commit (b65d506a5f9d9b2b20777a9aceb44a8ffed6a5de) fixes "list flavors" and "show flavor" APIS, but it does not include "create instance" API.

Revision history for this message
Ken'ichi Ohmichi (oomichi) wrote :

Hi Russell,

One more thing.
We need to port the patch of OSSA 2013-019(commit-id: b65d506a5f9d9b2b20777a9aceb44a8ffed6a5de) to nova v3 tree.
I have posted the patch for doing it, I am happy if you review it. (https://review.openstack.org/#/c/41843/)

Revision history for this message
Russell Bryant (russellb) wrote :
Download full text (4.1 KiB)

At first I thought I couldn't reproduce this, but I was only trying with novaclient. With novaclient, it looks like it doesn't work. It actually fails on trying to get flavor details and doesn't make it far enough to try to boot the server. So, it does appear there is a problem here.

$ . openrc admin

$ nova flavor-create test2 8 512 4 2 --is-public False
+----+-------+-----------+------+-----------+------+-------+-------------+-----------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
 +----+-------+-----------+------+-----------+------+-------+-------------+-----------+
| 8 | test2 | 512 | 4 | 0 | | 2 | 1.0 | False |
 +----+-------+-----------+------+-----------+------+-------+-------------+-----------+

$ nova flavor-list --all
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
 +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| 1 | m1.tiny | 512 | 1 | 0 | | 1 | 1.0 | True |
| 2 | m1.small | 2048 | 20 | 0 | | 1 | 1.0 | True |
| 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True |
| 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True |
| 42 | m1.nano | 64 | 0 | 0 | | 1 | 1.0 | True |
| 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True |
| 8 | test2 | 512 | 4 | 0 | | 2 | 1.0 | False |
| 84 | m1.micro | 128 | 0 | 0 | | 1 | 1.0 | True |
 +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+

$ . openrc demo

$ nova flavor-list --all
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
 +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| 1 | m1.tiny | 512 | 1 | 0 | | 1 | 1.0 | True |
| 2 | m1.small | 2048 | 20 | 0 | | 1 | 1.0 | True |
| 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True |
| 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True |
| 42 | m1.nano | 64 | 0 | 0 | | 1 | 1.0 | True |
| 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True |
| 84 | m1.micro | 128 | 0 | 0 | | 1 | 1.0 | True |
 +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+

$ nova boot --flavor 8 --image 899f3f21-e3eb-41b2-b9b9-e805e1ec1e02 test
ERROR: No flavor with a name or ID of '8' exists.

$ curl -i http://162.209.53.10:8774/v2/c7708d0551034f97b1c5fceb848cfcf1/servers -X POST -H "X-Auth-Project-Id: demo"...

Read more...

Russell Bryant (russellb)
Changed in nova:
importance: Undecided → Critical
Thierry Carrez (ttx)
Changed in nova:
milestone: none → havana-3
Changed in ossa:
importance: Undecided → High
status: Incomplete → Confirmed
Russell Bryant (russellb)
Changed in nova:
assignee: Ken'ichi Ohmichi (oomichi) → Russell Bryant (russellb)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/42922
Committed: http://github.com/openstack/nova/commit/4054cc4a22a1fea997dec76afb5646fd6c6ea6b9
Submitter: Jenkins
Branch: master

commit 4054cc4a22a1fea997dec76afb5646fd6c6ea6b9
Author: Russell Bryant <email address hidden>
Date: Tue Aug 20 11:06:12 2013 -0400

    Enforce flavor access during instance boot

    The code in the servers API did not pass the context when retrieving
    flavor details. That means it would use an admin context instead,
    bypassing all flavor access control checks.

    This patch includes the fix, and the corresponding unit test, for both
    the v2 and v3 APIs.

    Closes-bug: #1212179

    Change-Id: I681ae9965e19767df22fa74c3315e4e03a459d3b

Changed in nova:
status: In Progress → Fix Committed
Revision history for this message
Ken'ichi Ohmichi (oomichi) wrote : Re: nova should check the is_public of flavor when creating an instance

Too fast fixing, thanks!

Revision history for this message
Thierry Carrez (ttx) wrote :

Russell: could you backport the fix for Folsom/Grizzly (if they are affected as well) ?

Proposed Impact description:
=========================
Title: Resource limit circumvention in Nova private flavors
Reporter: Ken'ichi Ohmichi (NEC)
Products: Nova
Affects: All versions

Description:
Ken'ichi Ohmichi from NEC reported that the fix for OSSA 2013-019 (CVE-2013-2256) was incomplete. Any tenant was still able to boot any other tenant's private flavors by guessing a flavor ID. This potentially allowed circumvention of any resource limits enforced through the os-flavor-access:is_public property.
=========================

Changed in ossa:
assignee: nobody → Thierry Carrez (ttx)
status: Confirmed → Triaged
Revision history for this message
Thierry Carrez (ttx) wrote :

I suspect we can reuse the same CVE. Asking the CNA for confirmation.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/43281

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/folsom)

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/43296

Revision history for this message
Thierry Carrez (ttx) wrote : Re: nova should check the is_public of flavor when creating an instance

Please review impact statement

Revision history for this message
Thierry Carrez (ttx) wrote :

This was assigned CVE-2013-4278

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/folsom)

Reviewed: https://review.openstack.org/43296
Committed: http://github.com/openstack/nova/commit/6825959560e06725d26625fd21f5c0b78b305492
Submitter: Jenkins
Branch: stable/folsom

commit 6825959560e06725d26625fd21f5c0b78b305492
Author: Russell Bryant <email address hidden>
Date: Tue Aug 20 11:06:12 2013 -0400

    Enforce flavor access during instance boot

    The code in the servers API did not pass the context when retrieving
    flavor details. That means it would use an admin context instead,
    bypassing all flavor access control checks.

    This patch includes the fix, and the corresponding unit test for the v2
    API.

    Closes-bug: #1212179

    (cherry picked from commit 4054cc4a22a1fea997dec76afb5646fd6c6ea6b9)

    Conflicts:
     nova/api/openstack/compute/plugins/v3/servers.py
     nova/api/openstack/compute/servers.py
     nova/tests/api/openstack/compute/plugins/v3/test_servers.py
     nova/tests/api/openstack/compute/test_servers.py

    Change-Id: I681ae9965e19767df22fa74c3315e4e03a459d3b

Revision history for this message
Russell Bryant (russellb) wrote : Re: nova should check the is_public of flavor when creating an instance

The description is fine, thanks!

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/grizzly)

Reviewed: https://review.openstack.org/43281
Committed: http://github.com/openstack/nova/commit/8b686195afe7e6dfb46c56c1ef2fe9c993d8e495
Submitter: Jenkins
Branch: stable/grizzly

commit 8b686195afe7e6dfb46c56c1ef2fe9c993d8e495
Author: Russell Bryant <email address hidden>
Date: Tue Aug 20 11:06:12 2013 -0400

    Enforce flavor access during instance boot

    The code in the servers API did not pass the context when retrieving
    flavor details. That means it would use an admin context instead,
    bypassing all flavor access control checks.

    This patch includes the fix, and the corresponding unit test for the v2
    API.

    Closes-bug: #1212179

    (cherry picked from commit 4054cc4a22a1fea997dec76afb5646fd6c6ea6b9)

    Conflicts:
     nova/api/openstack/compute/plugins/v3/servers.py
     nova/api/openstack/compute/servers.py
     nova/tests/api/openstack/compute/plugins/v3/test_servers.py
     nova/tests/api/openstack/compute/test_servers.py

    Change-Id: I681ae9965e19767df22fa74c3315e4e03a459d3b

Thierry Carrez (ttx)
Changed in ossa:
status: Triaged → In Progress
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in ossa:
status: Fix Committed → Fix Released
summary: - nova should check the is_public of flavor when creating an instance
+ [OSSA 2013-024] nova should check the is_public of flavor when creating
+ an instance
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: havana-3 → 2013.2
Sean Dague (sdague)
no longer affects: nova/folsom
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.