yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #21223
[Bug 1069904] Re: [OSSA 2013-001] No authentication on block device used for os-volume_boot
** No longer affects: nova/diablo
** No longer affects: nova/essex
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1069904
Title:
[OSSA 2013-001] No authentication on block device used for os-
volume_boot
Status in OpenStack Compute (Nova):
Fix Released
Status in OpenStack Compute (nova) folsom series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Status in “nova” package in Debian:
Fix Released
Bug description:
We found this problem in our Diablo code base - I think by inspection
its still valid in upstream as well but a bit harder to check as the
code has changed (BootFromVolumeController no longer exists, and os-
volume_boot now just inherits from the servers API).
Fillling anyway as its pretty serious, in the hope that someone can
verify or dismiss it.
Boot from volume allows a volume to be passed to the create method via
the block_device_mapping parameter. This parameter is not validated
as having to be a volume belonging to the user creating the instance,
so providing I know the valid ID of a volume belonging to another user
I can create VM and gain access to that volume (c.f volume attachment
which does make explicit checks for both the ownership and status of a
volume)
The volume ownership and status should be explicitly checked in the
compute.api layer
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1069904/+subscriptions