Comment 54 for bug 2004555

We have attached patches at this point for cinder, nova and (2 for) os-brick. It's not yet clear that there's consensus from the reviewers on this bug that the proposed fixes are sufficient and appropriate for backporting (at least to officially maintained stable branches, so as far back as stable/xena right now). Assuming the chosen fixes are suitable for backport, class A seems like the closest fit based on hints in comments #35 and #38 that there is an easily-exploitable condition for a normal user of the environment (but as of yet the details have not been explained that I've seen here). Of course, before I can attempt to summarize this set of risks into an appropriate impact description, we'll need more information on that.

Following our current 90-day maximum embargo policy we have at most 8 weeks to figure this out, but of course it would be better to have it over and done with at the soonest opportunity. Basically if we can get consensus on the patches and a clearer explanation for the exploit scenarios and possible mitigations, then I'll apply for a CVE assignment from MITRE with that information. In parallel, we'll need clean patches for all of the above fixes backported at least as far as stable/xena. Once we have all that, we'll pick a disclosure date roughly a week out and send advance copies of the description and patches to downstream stakeholders so they can begin preparing their own packages.

Note that an additional wrinkle is the looming OpenStack 2023.1 coordinated release, which means that stable/2023.1 branches have already been created and we'll need backports from master to those as well (though I expect they'll be identical to the master branch patches in most cases). We'll also need to make sure to list the OpenStack 2023.1 release versions as affected since I highly doubt we'll publish in time to make one of the final RCs.