[oss-security] [OSSA 2014-035] Nova VMware driver may connect VNC to another tenant's console (CVE-2014-8750)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Gary Kotton | ||
Icehouse |
Fix Released
|
High
|
Jeremy Stanley | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Jeremy Stanley |
Bug Description
When spawning some instances, nova VMware driver could have a race condition in VNC port allocation. Although the get_vnc_port function has a lock it not guarantee that the whole vnc port allocation process is locked, so another instance could receive the same port if it requests the VNC port before nova has finished the vnc port allocation to another VM.
If the instances with the same VNC port are allocated in same host it could lead to a improper access to the instance console.
Reproduce the problem: Launch two or more instances at same time. In some cases one instance could execute the get_vnc_port and pick a port but before this instance has finished the _set_vnc_config another instance could execute get_vnc_port and pick the same port.
How often this occurs: unpredictable.
CVE References
summary: |
- Race condition in VNC port allocation when spanning a instance on VMware + Race condition in VNC port allocation when spawning a instance on VMware |
Changed in nova: | |
assignee: | nobody → Radoslav Gerganov (rgerganov) |
importance: | Undecided → High |
Changed in nova: | |
milestone: | none → juno-3 |
tags: | added: icehouse-backport-potential |
Changed in nova: | |
milestone: | juno-3 → juno-rc1 |
Changed in nova: | |
status: | Fix Committed → Fix Released |
Changed in ossa: | |
status: | Incomplete → Confirmed |
importance: | Undecided → Medium |
Changed in ossa: | |
assignee: | nobody → Jeremy Stanley (fungi) |
Changed in ossa: | |
status: | Confirmed → Triaged |
importance: | Medium → High |
Changed in ossa: | |
status: | Triaged → In Progress |
summary: |
Race condition in VNC port allocation when spawning a instance on VMware + (CVE-2014-8750) |
Changed in ossa: | |
status: | In Progress → Fix Committed |
summary: |
- Race condition in VNC port allocation when spawning a instance on VMware - (CVE-2014-8750) + [oss-security] [OSSA 2014-035] Nova VMware driver may connect VNC to + another tenant's console (CVE-2014-8750) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | juno-rc1 → 2014.2 |
Fix proposed to branch: master /review. openstack. org/114548
Review: https:/