yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1069904] Re: [OSSA 2013-001] No authentication on block device used for os-volume_boot

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sean Dague <sean@xxxxxxxxx>
Date: Mon, 15 Sep 2014 15:37:27 -0000
Reply-to: Bug 1069904 <1069904@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** No longer affects: nova/diablo

** No longer affects: nova/essex

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1069904

Title:
  [OSSA 2013-001] No authentication on block device used for os-
  volume_boot

Status in OpenStack Compute (Nova):
  Fix Released
Status in OpenStack Compute (nova) folsom series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released
Status in “nova” package in Debian:
  Fix Released

Bug description:
  We found this problem in our Diablo code base - I think by inspection
  its still valid in upstream as well but a bit harder to check as the
  code has changed (BootFromVolumeController no longer exists, and os-
  volume_boot now just inherits from the servers API).

  Fillling anyway as its pretty serious, in the hope that someone can
  verify or dismiss it.

  Boot from volume allows a volume to be passed to the create method via
  the block_device_mapping parameter.   This parameter is not validated
  as having to be a volume belonging to the user creating the instance,
  so providing I know the valid ID of a volume belonging to another user
  I can create VM and gain access to that volume (c.f volume attachment
  which does make explicit checks for both the ownership and status of a
  volume)

  The volume ownership and status should be explicitly checked in the
  compute.api layer

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1069904/+subscriptions