yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Corey Bryant <corey.bryant@xxxxxxxxxxxxx>
Date: Tue, 19 Dec 2017 18:56:46 -0000
Reply-to: Bug 1664931 <1664931@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Also affects: nova (Ubuntu Artful)
   Importance: Undecided
       Status: New

** Also affects: nova (Ubuntu Zesty)
   Importance: Undecided
       Status: New

** Changed in: nova (Ubuntu Zesty)
       Status: New => Fix Released

** Changed in: nova (Ubuntu Zesty)
   Importance: Undecided => High

** Changed in: nova (Ubuntu Artful)
   Importance: Undecided => High

** Changed in: nova (Ubuntu Artful)
       Status: New => Fix Released

** Also affects: cloud-archive
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/pike
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/newton
   Importance: Undecided
       Status: New

** Also affects: cloud-archive/ocata
   Importance: Undecided
       Status: New

** Changed in: cloud-archive
   Importance: Undecided => High

** Changed in: cloud-archive
       Status: New => Fix Released

** Changed in: cloud-archive/newton
   Importance: Undecided => High

** Changed in: cloud-archive/newton
       Status: New => Fix Released

** Changed in: cloud-archive/ocata
   Importance: Undecided => High

** Changed in: cloud-archive/ocata
       Status: New => Fix Released

** Changed in: cloud-archive/pike
   Importance: Undecided => High

** Changed in: cloud-archive/pike
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1664931

Title:
  [OSSA-2017-005] nova rebuild ignores all image properties and
  scheduler filters (CVE-2017-16239)

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive newton series:
  Fix Released
Status in Ubuntu Cloud Archive ocata series:
  Fix Released
Status in Ubuntu Cloud Archive pike series:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) newton series:
  Fix Committed
Status in OpenStack Compute (nova) ocata series:
  Fix Committed
Status in OpenStack Compute (nova) pike series:
  Fix Committed
Status in OpenStack Security Advisory:
  Fix Released
Status in nova package in Ubuntu:
  Fix Released
Status in nova source package in Zesty:
  Fix Released
Status in nova source package in Artful:
  Fix Released

Bug description:
  Big picture: If some image has some restriction on aggregates or hosts
  it can be run on, tenant may use  nova rebuild command to circumvent
  those restrictions. Main issue is with ImagePropertiesFilter, but it
  may cause issues with combination of flavor/image (for example allows
  to run license restricted OS (Windows) on host which has no such
  license, or rebuild instance with cheap flavor with image which is
  restricted only for high-priced flavors).

  I don't know if this is a security bug or not, if you would find it
  non-security issue, please remove the security flag.

  Steps to reproduce:

  1. Set up nova with  ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'.
  2. Boot instance with some other (non-restricted) image on 'host2'.
  3. Use nova rebuild INSTANCE image1

  Expected result:

  nova rejects rebuild because given image ('image1') may not run on
  'host2'.

  Actual result:

  nova happily rebuild instance with image1 on host2, violating
  restrictions.

  Checked affected version: mitaka.

  I believe, due to the way 'rebuild' command is working, newton and
  master are affected too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1664931/+subscriptions