cleanup_incomplete_migrations periodic task regression with commit 099cf53 (CVE-2016-7498)

Bug #1589821 reported by Rajesh Tailor on 2016-06-07
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
High
Matt Riedemann
Mitaka
High
Matt Riedemann
OpenStack Security Advisory
Undecided
Unassigned

Bug Description

Patch [1] changes the instance filtering condition in periodic task "cleanup_incomplete_migrations" introduced in [2], in such a way that it generates new issue, [3]

After change [1] lands, the condition changes filtering logic, so now all instances on current host are filtered, which is not expected.

We should filter all instances where instance uuids are associated with migration records and those migration status is set to 'error' and instance is marked as deleted.

[1] https://review.openstack.org/#/c/256102/
[2] https://review.openstack.org/#/c/219299/
[2] https://bugs.launchpad.net/nova/+bug/1586309

CVE References

Rajesh Tailor (ratailor) on 2016-06-07
Changed in nova:
assignee: nobody → Rajesh Tailor (ratailor)

Fix proposed to branch: master
Review: https://review.openstack.org/326262

Changed in nova:
status: New → In Progress
tags: added: compute
Rajesh Tailor (ratailor) on 2016-06-08
description: updated
Changed in nova:
assignee: Rajesh Tailor (ratailor) → Matt Riedemann (mriedem)
Matt Riedemann (mriedem) on 2016-06-08
Changed in nova:
importance: Undecided → High

Since the original fix was for a CVE bug:

https://bugs.launchpad.net/nova/+bug/1392527

OSSA 2015-017

CVE-2015-3280

And that was regressed with the change I made in mitaka, we effectively re-introduced the bug in Mitaka (I think?) so do we need a new OSSA for this?

Reviewed: https://review.openstack.org/326262
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=adcc0e418b7d880a0b0bd60ea9d0ef1e2ef4e67e
Submitter: Jenkins
Branch: master

commit adcc0e418b7d880a0b0bd60ea9d0ef1e2ef4e67e
Author: Rajesh Tailor <email address hidden>
Date: Tue Jun 7 07:05:11 2016 +0000

    Revert "Optimize _cleanup_incomplete_migrations periodic task"

    The change modified instance filtering condition, which filters all
    deleted instances on current host, which is not as expected by periodic
    task.

    The periodic task expects instances, whose instance uuid are associated
    with migration record. And after filtering we only need to apply the
    instance deletion logic on instance files where instance.host is not
    set as current host (CONF.host).

    This reverts commit 099cf53925c0a0275325339f21932273ee9ce2bc.

    Change-Id: Ic71c939bef86f1e5cb485c6827c69c3d638f2e89
    Closes-Bug: 1589821

Changed in nova:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/327398
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=f77af87cc34b3a00eb650f6bd3a68c7820647e17
Submitter: Jenkins
Branch: stable/mitaka

commit f77af87cc34b3a00eb650f6bd3a68c7820647e17
Author: Rajesh Tailor <email address hidden>
Date: Tue Jun 7 07:05:11 2016 +0000

    Revert "Optimize _cleanup_incomplete_migrations periodic task"

    The change modified instance filtering condition, which filters all
    deleted instances on current host, which is not as expected by periodic
    task.

    The periodic task expects instances, whose instance uuid are associated
    with migration record. And after filtering we only need to apply the
    instance deletion logic on instance files where instance.host is not
    set as current host (CONF.host).

    This reverts commit 099cf53925c0a0275325339f21932273ee9ce2bc.

    Change-Id: Ic71c939bef86f1e5cb485c6827c69c3d638f2e89
    Closes-Bug: 1589821
    (cherry picked from commit adcc0e418b7d880a0b0bd60ea9d0ef1e2ef4e67e)

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

So IIUC, nova mitaka version(s) is affected by OSSA 2015-017. Does the impact description still applies ?

Title: Nova may fail to delete images in resize state

Description:
If an authenticated user deletes an instance while it is in resize state, it will cause the original instance to not be deleted from the compute node it was running on. An attacker can use this to launch a denial of service attack. All Nova setups are affected.

This may need a new OSSA for this regression.

Changed in ossa:
status: New → Incomplete

This issue was fixed in the openstack/nova 13.1.0 release.

Matt, could you please confirm the impact description proposed in above comment #6 ?
If it's accurate, let's request a cve and issue a new OSSA for that mitaka regression.

Matt Riedemann (mriedem) wrote :

Tristan, yes it's accurate.

Here is the full impact description:

Title: Nova may fail to delete images in resize state
Reporter: Rajesh Tailor (Red Hat)
Products: Nova
Affects: >=13.0.0, <13.1.0

Description:
Rajesh Tailor from Red Hat reported a vulnerability in Nova. If an authenticated user deletes an instance while it is in resize state, it will cause the original instance to not be deleted from the compute node it was running on. An attacker can use this to launch a denial of service attack. All Nova setups are affected.

Note:
This bug is similar to OSSA-2015-017 (CVE-2015-3280) and was re-introduced in the first release of Mitaka version of Nova and it was re-fixed in nova-13.1.0.

Changed in ossa:
status: Incomplete → Confirmed

This issue was fixed in the openstack/nova 14.0.0.0b2 development milestone.

Since there was no point release between nova 13.0.0 and 13.1.0, I think we can safely scope this to just:

Affects: ==13.0.0

CVE requested with this description header (adding regression to the title)

Title: Nova may fail to delete images in resize state regression
Reporter: Rajesh Tailor (Red Hat)
Products: Nova
Affects: ==13.0.0

Changed in ossa:
status: Confirmed → In Progress
Jeremy Stanley (fungi) on 2016-09-21
summary: cleanup_incomplete_migrations periodic task regression with commit
- 099cf53925c0a0275325339f21932273ee9ce2bc
+ 099cf53 (CVE-2016-7498)
Changed in ossa:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers