| 2017-02-15 10:39:46 |
George Shuklin |
bug |
|
|
added bug |
| 2017-02-15 10:55:31 |
George Shuklin |
bug task added |
|
nova (Ubuntu) |
|
| 2017-02-15 13:21:45 |
Jeremy Stanley |
bug |
|
|
added subscriber Nova Core security contacts |
| 2017-02-15 13:22:35 |
Jeremy Stanley |
bug task added |
|
ossa |
|
| 2017-02-15 13:24:32 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
| 2017-02-15 15:44:13 |
Jeremy Stanley |
description |
Big picture: If some image has some restriction on aggregates or hosts it can be run on, tenant may use nova rebuild command to circumvent those restrictions. Main issue is with ImagePropertiesFilter, but it may cause issues with combination of flavor/image (for example allows to run license restricted OS (Windows) on host which has no such license, or rebuild instance with cheap flavor with image which is restricted only for high-priced flavors).
I don't know if this is a security bug or not, if you would find it non-security issue, please remove the security flag.
Steps to reproduce:
1. Set up nova with ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'.
2. Boot instance with some other (non-restricted) image on 'host2'.
3. Use nova rebuild INSTANCE image1
Expected result:
nova rejects rebuild because given image ('image1') may not run on 'host2'.
Actual result:
nova happily rebuild instance with image1 on host2, violating restrictions.
Checked affected version: mitaka.
I believe, due to the way 'rebuild' command is working, newton and master are affected too. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
Big picture: If some image has some restriction on aggregates or hosts it can be run on, tenant may use nova rebuild command to circumvent those restrictions. Main issue is with ImagePropertiesFilter, but it may cause issues with combination of flavor/image (for example allows to run license restricted OS (Windows) on host which has no such license, or rebuild instance with cheap flavor with image which is restricted only for high-priced flavors).
I don't know if this is a security bug or not, if you would find it non-security issue, please remove the security flag.
Steps to reproduce:
1. Set up nova with ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'.
2. Boot instance with some other (non-restricted) image on 'host2'.
3. Use nova rebuild INSTANCE image1
Expected result:
nova rejects rebuild because given image ('image1') may not run on 'host2'.
Actual result:
nova happily rebuild instance with image1 on host2, violating restrictions.
Checked affected version: mitaka.
I believe, due to the way 'rebuild' command is working, newton and master are affected too. |
|
| 2017-02-15 21:54:07 |
Matt Riedemann |
bug |
|
|
added subscriber Sylvain Bauza |
| 2017-02-15 21:58:33 |
Matt Riedemann |
nova: status |
New |
Confirmed |
|
| 2017-02-15 23:09:21 |
Sylvain Bauza |
attachment added |
|
0001-Rebuild-should-verify-the-host.patch https://bugs.launchpad.net/nova/+bug/1664931/+attachment/4819815/+files/0001-Rebuild-should-verify-the-host.patch |
|
| 2017-02-15 23:29:39 |
Sylvain Bauza |
attachment removed |
0001-Rebuild-should-verify-the-host.patch https://bugs.launchpad.net/nova/+bug/1664931/+attachment/4819815/+files/0001-Rebuild-should-verify-the-host.patch |
|
|
| 2017-02-15 23:31:24 |
Sylvain Bauza |
attachment added |
|
0001-Rebuild-should-verify-the-host.patch https://bugs.launchpad.net/nova/+bug/1664931/+attachment/4819816/+files/0001-Rebuild-should-verify-the-host.patch |
|
| 2017-03-17 14:38:47 |
Jeremy Stanley |
ossa: status |
Incomplete |
Confirmed |
|
| 2017-03-29 21:16:17 |
Matt Riedemann |
bug |
|
|
added subscriber Matt Riedemann |
| 2017-10-27 15:56:05 |
Jeremy Stanley |
bug |
|
|
added subscriber OSSG CoreSec |
| 2017-10-27 19:52:37 |
Matt Riedemann |
nova: status |
Confirmed |
In Progress |
|
| 2017-10-27 19:52:38 |
Matt Riedemann |
nova: importance |
Undecided |
High |
|
| 2017-10-27 19:52:40 |
Matt Riedemann |
nova: assignee |
|
Matt Riedemann (mriedem) |
|
| 2017-10-27 19:52:56 |
Matt Riedemann |
nominated for series |
|
nova/newton |
|
| 2017-10-27 19:52:56 |
Matt Riedemann |
bug task added |
|
nova/newton |
|
| 2017-10-27 19:52:56 |
Matt Riedemann |
nominated for series |
|
nova/ocata |
|
| 2017-10-27 19:52:56 |
Matt Riedemann |
bug task added |
|
nova/ocata |
|
| 2017-10-27 19:52:56 |
Matt Riedemann |
nominated for series |
|
nova/pike |
|
| 2017-10-27 19:52:56 |
Matt Riedemann |
bug task added |
|
nova/pike |
|
| 2017-10-27 20:10:11 |
Matt Riedemann |
attachment added |
|
Validate-new-image-via-scheduler-during-rebuild.patch https://bugs.launchpad.net/nova/+bug/1664931/+attachment/4998232/+files/Validate-new-image-via-scheduler-during-rebuild.patch |
|
| 2017-10-27 20:43:28 |
Matt Riedemann |
attachment added |
|
master branch (queens) fix https://bugs.launchpad.net/nova/+bug/1664931/+attachment/4998241/+files/Validate-new-image-via-scheduler-during-rebuild-master.patch |
|
| 2017-10-27 21:36:02 |
Matt Riedemann |
attachment added |
|
pike backport https://bugs.launchpad.net/nova/+bug/1664931/+attachment/4998254/+files/Validate-new-image-via-scheduler-during-rebuild-pike.patch |
|
| 2017-10-27 21:36:12 |
Matt Riedemann |
nova/newton: status |
New |
In Progress |
|
| 2017-10-27 21:36:14 |
Matt Riedemann |
nova/newton: importance |
Undecided |
High |
|
| 2017-10-27 21:36:16 |
Matt Riedemann |
nova/newton: assignee |
|
Matt Riedemann (mriedem) |
|
| 2017-10-27 22:59:37 |
Matt Riedemann |
attachment added |
|
ocata backport https://bugs.launchpad.net/nova/+bug/1664931/+attachment/4998270/+files/Validate-new-image-via-scheduler-during-rebuild-ocata.patch |
|
| 2017-10-28 00:02:03 |
Matt Riedemann |
attachment added |
|
newton backport https://bugs.launchpad.net/nova/+bug/1664931/+attachment/4998361/+files/Validate-new-image-via-scheduler-during-rebuild-newton.patch |
|
| 2017-10-28 00:02:12 |
Matt Riedemann |
nova/ocata: status |
New |
In Progress |
|
| 2017-10-28 00:02:15 |
Matt Riedemann |
nova/pike: status |
New |
In Progress |
|
| 2017-10-28 00:02:18 |
Matt Riedemann |
nova/pike: importance |
Undecided |
High |
|
| 2017-10-28 00:02:20 |
Matt Riedemann |
nova/ocata: assignee |
|
Matt Riedemann (mriedem) |
|
| 2017-10-28 00:02:22 |
Matt Riedemann |
nova/ocata: importance |
Undecided |
High |
|
| 2017-10-28 00:02:25 |
Matt Riedemann |
nova/pike: assignee |
|
Matt Riedemann (mriedem) |
|
| 2017-10-28 23:53:37 |
Matt Riedemann |
attachment added |
|
master branch patch v2 https://bugs.launchpad.net/nova/+bug/1664931/+attachment/4999114/+files/Validate-new-image-via-scheduler-during-rebuild-master.patch |
|
| 2017-10-28 23:54:04 |
Matt Riedemann |
attachment added |
|
pike backport v2 https://bugs.launchpad.net/nova/+bug/1664931/+attachment/4999115/+files/Validate-new-image-via-scheduler-during-rebuild-pike.patch |
|
| 2017-10-28 23:54:36 |
Matt Riedemann |
attachment added |
|
ocata backport v2 https://bugs.launchpad.net/nova/+bug/1664931/+attachment/4999116/+files/Validate-new-image-via-scheduler-during-rebuild-ocata.patch |
|
| 2017-10-28 23:54:56 |
Matt Riedemann |
attachment added |
|
newton backport v2 https://bugs.launchpad.net/nova/+bug/1664931/+attachment/4999117/+files/Validate-new-image-via-scheduler-during-rebuild-newton.patch |
|
| 2017-10-30 16:23:54 |
Jeremy Stanley |
ossa: status |
Confirmed |
Triaged |
|
| 2017-10-30 16:23:57 |
Jeremy Stanley |
ossa: importance |
Undecided |
High |
|
| 2017-10-30 16:24:01 |
Jeremy Stanley |
ossa: assignee |
|
Jeremy Stanley (fungi) |
|
| 2017-10-30 18:36:45 |
Jeremy Stanley |
ossa: status |
Triaged |
In Progress |
|
| 2017-10-31 12:19:00 |
Jeremy Stanley |
summary |
nova rebuild ignores all image properties and scheduler filters |
nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239) |
|
| 2017-10-31 12:19:54 |
Jeremy Stanley |
cve linked |
|
2017-16239 |
|
| 2017-10-31 21:07:05 |
Jeremy Stanley |
ossa: status |
In Progress |
Fix Committed |
|
| 2017-10-31 21:07:47 |
Jeremy Stanley |
bug |
|
|
added subscriber Canonical Security Team |
| 2017-10-31 23:35:12 |
Jeremy Stanley |
bug |
|
|
added subscriber Mohammed Naser |
| 2017-11-01 21:01:08 |
Jeremy Stanley |
bug |
|
|
added subscriber Joshua Padman |
| 2017-11-02 15:13:09 |
Tristan Cacqueray |
bug |
|
|
added subscriber Nolwenn Cauchois |
| 2017-11-05 05:43:39 |
Jeremy Stanley |
bug |
|
|
added subscriber Matt Van Winkle |
| 2017-11-14 15:01:26 |
Tristan Cacqueray |
summary |
nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239) |
[OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239) |
|
| 2017-11-14 15:01:48 |
Tristan Cacqueray |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
Big picture: If some image has some restriction on aggregates or hosts it can be run on, tenant may use nova rebuild command to circumvent those restrictions. Main issue is with ImagePropertiesFilter, but it may cause issues with combination of flavor/image (for example allows to run license restricted OS (Windows) on host which has no such license, or rebuild instance with cheap flavor with image which is restricted only for high-priced flavors).
I don't know if this is a security bug or not, if you would find it non-security issue, please remove the security flag.
Steps to reproduce:
1. Set up nova with ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'.
2. Boot instance with some other (non-restricted) image on 'host2'.
3. Use nova rebuild INSTANCE image1
Expected result:
nova rejects rebuild because given image ('image1') may not run on 'host2'.
Actual result:
nova happily rebuild instance with image1 on host2, violating restrictions.
Checked affected version: mitaka.
I believe, due to the way 'rebuild' command is working, newton and master are affected too. |
Big picture: If some image has some restriction on aggregates or hosts it can be run on, tenant may use nova rebuild command to circumvent those restrictions. Main issue is with ImagePropertiesFilter, but it may cause issues with combination of flavor/image (for example allows to run license restricted OS (Windows) on host which has no such license, or rebuild instance with cheap flavor with image which is restricted only for high-priced flavors).
I don't know if this is a security bug or not, if you would find it non-security issue, please remove the security flag.
Steps to reproduce:
1. Set up nova with ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'.
2. Boot instance with some other (non-restricted) image on 'host2'.
3. Use nova rebuild INSTANCE image1
Expected result:
nova rejects rebuild because given image ('image1') may not run on 'host2'.
Actual result:
nova happily rebuild instance with image1 on host2, violating restrictions.
Checked affected version: mitaka.
I believe, due to the way 'rebuild' command is working, newton and master are affected too. |
|
| 2017-11-14 15:05:08 |
Tristan Cacqueray |
information type |
Private Security |
Public Security |
|
| 2017-11-14 16:20:51 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
| 2017-11-14 16:20:59 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
| 2017-11-14 20:27:13 |
OpenStack Infra |
nova: status |
In Progress |
Fix Released |
|
| 2017-11-14 20:27:35 |
OpenStack Infra |
nova/pike: status |
In Progress |
Fix Committed |
|
| 2017-11-14 20:28:42 |
OpenStack Infra |
nova/ocata: status |
In Progress |
Fix Committed |
|
| 2017-11-14 22:20:50 |
OpenStack Infra |
tags |
patch |
in-stable-pike patch |
|
| 2017-11-14 22:21:02 |
OpenStack Infra |
tags |
in-stable-pike patch |
in-stable-ocata in-stable-pike patch |
|
| 2017-11-15 15:51:09 |
Jeremy Stanley |
ossa: status |
Fix Committed |
Fix Released |
|
| 2017-11-16 02:58:12 |
OpenStack Infra |
nova/newton: assignee |
Matt Riedemann (mriedem) |
Tony Breeds (o-tony) |
|
| 2017-11-16 17:32:09 |
OpenStack Infra |
nova/newton: status |
In Progress |
Fix Committed |
|
| 2017-11-16 17:53:36 |
OpenStack Infra |
tags |
in-stable-ocata in-stable-pike patch |
in-stable-newton in-stable-ocata in-stable-pike patch |
|
| 2017-12-05 13:57:14 |
James Page |
nova (Ubuntu): status |
New |
Triaged |
|
| 2017-12-05 13:57:18 |
James Page |
nova (Ubuntu): importance |
Undecided |
High |
|
| 2017-12-05 13:57:34 |
James Page |
bug |
|
|
added subscriber Ubuntu Security Team |
| 2017-12-13 20:23:28 |
Corey Bryant |
nova (Ubuntu): status |
Triaged |
Fix Committed |
|
| 2017-12-13 20:23:51 |
Corey Bryant |
nova (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2017-12-19 18:56:46 |
Corey Bryant |
nominated for series |
|
Ubuntu Artful |
|
| 2017-12-19 18:56:46 |
Corey Bryant |
bug task added |
|
nova (Ubuntu Artful) |
|
| 2017-12-19 18:56:46 |
Corey Bryant |
nominated for series |
|
Ubuntu Zesty |
|
| 2017-12-19 18:56:46 |
Corey Bryant |
bug task added |
|
nova (Ubuntu Zesty) |
|
| 2017-12-19 18:57:00 |
Corey Bryant |
nova (Ubuntu Zesty): status |
New |
Fix Released |
|
| 2017-12-19 18:57:04 |
Corey Bryant |
nova (Ubuntu Zesty): importance |
Undecided |
High |
|
| 2017-12-19 18:57:06 |
Corey Bryant |
nova (Ubuntu Artful): importance |
Undecided |
High |
|
| 2017-12-19 18:57:10 |
Corey Bryant |
nova (Ubuntu Artful): status |
New |
Fix Released |
|
| 2017-12-19 18:57:37 |
Corey Bryant |
bug task added |
|
cloud-archive |
|
| 2017-12-19 18:57:55 |
Corey Bryant |
nominated for series |
|
cloud-archive/pike |
|
| 2017-12-19 18:57:55 |
Corey Bryant |
bug task added |
|
cloud-archive/pike |
|
| 2017-12-19 18:57:55 |
Corey Bryant |
nominated for series |
|
cloud-archive/newton |
|
| 2017-12-19 18:57:55 |
Corey Bryant |
bug task added |
|
cloud-archive/newton |
|
| 2017-12-19 18:57:55 |
Corey Bryant |
nominated for series |
|
cloud-archive/ocata |
|
| 2017-12-19 18:57:55 |
Corey Bryant |
bug task added |
|
cloud-archive/ocata |
|
| 2017-12-19 18:58:11 |
Corey Bryant |
cloud-archive: importance |
Undecided |
High |
|
| 2017-12-19 18:58:11 |
Corey Bryant |
cloud-archive: status |
New |
Fix Released |
|
| 2017-12-19 18:58:31 |
Corey Bryant |
cloud-archive/newton: importance |
Undecided |
High |
|
| 2017-12-19 18:58:31 |
Corey Bryant |
cloud-archive/newton: status |
New |
Fix Released |
|
| 2017-12-19 18:58:50 |
Corey Bryant |
cloud-archive/ocata: importance |
Undecided |
High |
|
| 2017-12-19 18:58:50 |
Corey Bryant |
cloud-archive/ocata: status |
New |
Fix Released |
|
| 2017-12-19 18:59:20 |
Corey Bryant |
cloud-archive/pike: importance |
Undecided |
High |
|
| 2017-12-19 18:59:20 |
Corey Bryant |
cloud-archive/pike: status |
New |
Fix Released |
|
| 2018-07-25 18:52:56 |
Jamie Strandboge |
removed subscriber Canonical Security Team |
|
|
|
