[Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)

Tristan Cacqueray tdecacqu at redhat.com
Tue Nov 14 15:01:26 UTC 2017 

** Summary changed:

- nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)
+ [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  Big picture: If some image has some restriction on aggregates or hosts
  it can be run on, tenant may use  nova rebuild command to circumvent
  those restrictions. Main issue is with ImagePropertiesFilter, but it may
  cause issues with combination of flavor/image (for example allows to run
  license restricted OS (Windows) on host which has no such license, or
  rebuild instance with cheap flavor with image which is restricted only
  for high-priced flavors).
  
  I don't know if this is a security bug or not, if you would find it non-
  security issue, please remove the security flag.
  
  Steps to reproduce:
  
  1. Set up nova with  ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'.
  2. Boot instance with some other (non-restricted) image on 'host2'.
  3. Use nova rebuild INSTANCE image1
  
  Expected result:
  
  nova rejects rebuild because given image ('image1') may not run on
  'host2'.
  
  Actual result:
  
  nova happily rebuild instance with image1 on host2, violating
  restrictions.
  
  Checked affected version: mitaka.
  
  I believe, due to the way 'rebuild' command is working, newton and
  master are affected too.

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1664931

Title:
  [OSSA-2017-005] nova rebuild ignores all image properties and
  scheduler filters (CVE-2017-16239)

Status in OpenStack Compute (nova):
  In Progress
Status in OpenStack Compute (nova) newton series:
  In Progress
Status in OpenStack Compute (nova) ocata series:
  In Progress
Status in OpenStack Compute (nova) pike series:
  In Progress
Status in OpenStack Security Advisory:
  Fix Committed
Status in nova package in Ubuntu:
  New

Bug description:
  Big picture: If some image has some restriction on aggregates or hosts
  it can be run on, tenant may use  nova rebuild command to circumvent
  those restrictions. Main issue is with ImagePropertiesFilter, but it
  may cause issues with combination of flavor/image (for example allows
  to run license restricted OS (Windows) on host which has no such
  license, or rebuild instance with cheap flavor with image which is
  restricted only for high-priced flavors).

  I don't know if this is a security bug or not, if you would find it
  non-security issue, please remove the security flag.

  Steps to reproduce:

  1. Set up nova with  ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'.
  2. Boot instance with some other (non-restricted) image on 'host2'.
  3. Use nova rebuild INSTANCE image1

  Expected result:

  nova rejects rebuild because given image ('image1') may not run on
  'host2'.

  Actual result:

  nova happily rebuild instance with image1 on host2, violating
  restrictions.

  Checked affected version: mitaka.

  I believe, due to the way 'rebuild' command is working, newton and
  master are affected too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1664931/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list