[Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)

OpenStack Infra 1664931 at bugs.launchpad.net
Thu Nov 16 17:53:38 UTC 2017 

Reviewed:  https://review.openstack.org/519755
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=698b261a5a2a6c0f31ef5059046ef7196d5cba30
Submitter: Zuul
Branch:    stable/newton

commit 698b261a5a2a6c0f31ef5059046ef7196d5cba30
Author: Matt Riedemann <mriedem.os at gmail.com>
Date:   Tue Nov 14 15:01:52 2017 -0500

    Add security release note for OSSA-2017-005
    
    Change-Id: I053f1bbc56481bddce8792aa4b5460a55cc0db2d
    Related-Bug: #1664931
    (cherry picked from commit 31d28eef95ab82bdfce2221cd5633bcf4bc13653)
    (cherry picked from commit 3f63d057a64b688b66ff1903c1afc4d97ba6df6d)
    (cherry picked from commit ffd4f72d16dacd6ca1e703f9bab37b8917d253e7)


** Tags added: in-stable-newton

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1664931

Title:
  [OSSA-2017-005] nova rebuild ignores all image properties and
  scheduler filters (CVE-2017-16239)

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) newton series:
  Fix Committed
Status in OpenStack Compute (nova) ocata series:
  Fix Committed
Status in OpenStack Compute (nova) pike series:
  Fix Committed
Status in OpenStack Security Advisory:
  Fix Released
Status in nova package in Ubuntu:
  New

Bug description:
  Big picture: If some image has some restriction on aggregates or hosts
  it can be run on, tenant may use  nova rebuild command to circumvent
  those restrictions. Main issue is with ImagePropertiesFilter, but it
  may cause issues with combination of flavor/image (for example allows
  to run license restricted OS (Windows) on host which has no such
  license, or rebuild instance with cheap flavor with image which is
  restricted only for high-priced flavors).

  I don't know if this is a security bug or not, if you would find it
  non-security issue, please remove the security flag.

  Steps to reproduce:

  1. Set up nova with  ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'.
  2. Boot instance with some other (non-restricted) image on 'host2'.
  3. Use nova rebuild INSTANCE image1

  Expected result:

  nova rejects rebuild because given image ('image1') may not run on
  'host2'.

  Actual result:

  nova happily rebuild instance with image1 on host2, violating
  restrictions.

  Checked affected version: mitaka.

  I believe, due to the way 'rebuild' command is working, newton and
  master are affected too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1664931/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list