yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Changed in: nova
       Status: Fix Committed => Fix Released

** Changed in: nova
    Milestone: None => juno-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1276862

Title:
  Nova libvirt driver live migration should sanitize target host

Status in OpenStack Compute (Nova):
  Fix Released
Status in OpenStack Security Advisories:
  Invalid

Bug description:
  In nova, an administrator can specify the target host for a libvirt
  live migrate action.

  This host is formatted into a base string (default="qemu+tcp://%s/system")
  https://github.com/openstack/nova/blob/744fa6b7b88b131e0b9f5a1eca88b14a7351b540/nova/virt/libvirt/driver.py#L158
  and then passed directly to libvirt as a target URI:
  https://github.com/openstack/nova/blob/744fa6b7b88b131e0b9f5a1eca88b14a7351b540/nova/virt/libvirt/driver.py#L4270
  dom.migrateToURI(CONF.libvirt.live_migration_uri % dest,

  The host does not appear to be validated, stripped, or otherwise checked to make sure that the value is reasonable. This allows an admin to attempt to migrate an instance out of a cloud (which may or may not be a security issue). Much more importantly, libvirt's URI format accepts many parameters in this URI, some of which allow execution of arbitrary commands at the same privilege level as libvirt.
  http://libvirt.org/remote.html#Remote_URI_reference

  Due to later checks it does not appear to be exploitable, but it
  should nevertheless be fixed to avoid future issues.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1276862/+subscriptions