[OSSA 2014-038] List instances by IP results in DoS of nova-network (CVE-2014-3708)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Tristan Cacqueray | ||
Icehouse |
Fix Released
|
High
|
Tristan Cacqueray | ||
Juno |
Fix Released
|
High
|
Tristan Cacqueray | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Tristan Cacqueray |
Bug Description
Hi,
On a customer install which has approximately 500 VMs in the system, running the following will hang:
nova list --ip 199
What will happen afterwards is that the nova-network process will stop responding for a while, a trace shows that it's receiving a huge amount of data. Upon further investigation, it looks like the issue maybe the right here:
https:/
On this installation:
nova=> select count(*) from virtual_interfaces;
count
-------
11985
(1 row)
So with 1 run, we're sending almost 12K records to a single nova-network process which takes up a huge CPU load (and blocks it from doing anything else).
What ends up happening is other things start timing out in the system, such as resizes and new deployments:
2014-08-19 03:44:49.511 31562 ERROR nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
2014-08-19 03:44:49.511 31562 TRACE nova.compute.
CVE References
Changed in ossa: | |
status: | Incomplete → Confirmed |
Changed in ossa: | |
importance: | Undecided → Medium |
Changed in nova: | |
status: | New → Confirmed |
Changed in nova: | |
importance: | Undecided → High |
milestone: | none → juno-rc1 |
Changed in ossa: | |
status: | Triaged → In Progress |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
summary: |
- List instances by IP results in DoS of nova-network + List instances by IP results in DoS of nova-network (CVE-2014-3708) |
information type: | Private Security → Public Security |
summary: |
- List instances by IP results in DoS of nova-network (CVE-2014-3708) + [OSSA 2014-038] List instances by IP results in DoS of nova-network + (CVE-2014-3708) |
Changed in nova: | |
status: | In Progress → Fix Committed |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | none → kilo-1 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | kilo-1 → 2015.1.0 |
Thanks for the report, the OSSA task is set to incomplete pending additional security review from @nova-coresec.