[OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Matt Riedemann | ||
Newton |
Fix Committed
|
High
|
Tony Breeds | ||
Ocata |
Fix Committed
|
High
|
Matt Riedemann | ||
Pike |
Fix Committed
|
High
|
Matt Riedemann | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Jeremy Stanley | ||
Ubuntu Cloud Archive |
Fix Released
|
High
|
Unassigned | ||
Newton |
Fix Released
|
High
|
Unassigned | ||
Ocata |
Fix Released
|
High
|
Unassigned | ||
Pike |
Fix Released
|
High
|
Unassigned | ||
nova (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Zesty |
Fix Released
|
High
|
Unassigned | ||
Artful |
Fix Released
|
High
|
Unassigned |
Bug Description
Big picture: If some image has some restriction on aggregates or hosts it can be run on, tenant may use nova rebuild command to circumvent those restrictions. Main issue is with ImageProperties
I don't know if this is a security bug or not, if you would find it non-security issue, please remove the security flag.
Steps to reproduce:
1. Set up nova with ImageProperties
2. Boot instance with some other (non-restricted) image on 'host2'.
3. Use nova rebuild INSTANCE image1
Expected result:
nova rejects rebuild because given image ('image1') may not run on 'host2'.
Actual result:
nova happily rebuild instance with image1 on host2, violating restrictions.
Checked affected version: mitaka.
I believe, due to the way 'rebuild' command is working, newton and master are affected too.
CVE References
Changed in ossa: | |
status: | New → Incomplete |
Changed in nova: | |
status: | Confirmed → In Progress |
importance: | Undecided → High |
assignee: | nobody → Matt Riedemann (mriedem) |
Changed in ossa: | |
status: | Confirmed → Triaged |
importance: | Undecided → High |
assignee: | nobody → Jeremy Stanley (fungi) |
Changed in ossa: | |
status: | Triaged → In Progress |
summary: |
- nova rebuild ignores all image properties and scheduler filters - (CVE-2017-16239) + [OSSA-2017-005] nova rebuild ignores all image properties and scheduler + filters (CVE-2017-16239) |
description: | updated |
information type: | Private Security → Public Security |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in nova (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in nova (Ubuntu): | |
status: | Triaged → Fix Committed |
status: | Fix Committed → Fix Released |
Changed in nova (Ubuntu Zesty): | |
status: | New → Fix Released |
importance: | Undecided → High |
Changed in nova (Ubuntu Artful): | |
importance: | Undecided → High |
status: | New → Fix Released |
Changed in cloud-archive: | |
importance: | Undecided → High |
status: | New → Fix Released |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.