OpenStack Security Advisory

  1. Bug #1732976
  2. Comment #18

Comment 18 for bug 1732976

Revision history for this message
Jeremy Stanley (fungi) wrote : Re: Potential DoS by rebuilding the same instance with a new image multiple times

Matt: Please proceed with 521186 and its associated backports; we'll send announcements with the OSSA-2017-005/CVE-2017-16239 errata once those merge. As for 521662 I'd like to include (a link to) the stable/pike backport in a pre-OSSA once it's ready. Assuming we have a viable backport for this bug within the next couple days, I'd like to propose 15:00 UTC on Tuesday, December 5 as the disclosure date/time.

Here's my proposed impact description for this bug (which I'll use to request a new CVE for the denial of service vulnerability if accurate):

Title: Nova ResourceTracker misses rebuilt resources with new images
Reporter: Matt Riedemann (Huawei)
Products: Nova
Affects: 16.0.3

Description:
Matt Riedemann from Huawei reported a vulnerability in OpenStack Nova's default FilterScheduler. By repeatedly rebuilding an instance with new images, an authenticated user may consume untracked resources on a hypervisor host leading to a denial of service. This regression was introduced with the fix for OSSA-2017-005 (CVE-2017-16239), so only Nova stable/pike or later deployments with that fix applied and relying on the default FilterScheduler are affected.