[Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)
mriedem.os at gmail.com
Tue Feb 20 17:33:32 UTC 2018
For anyone keeping track, bug 1750618 was yet another regression
introduced by the first change for this bug.
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
[OSSA-2017-005] nova rebuild ignores all image properties and
scheduler filters (CVE-2017-16239)
Status in Ubuntu Cloud Archive:
Status in Ubuntu Cloud Archive newton series:
Status in Ubuntu Cloud Archive ocata series:
Status in Ubuntu Cloud Archive pike series:
Status in OpenStack Compute (nova):
Status in OpenStack Compute (nova) newton series:
Status in OpenStack Compute (nova) ocata series:
Status in OpenStack Compute (nova) pike series:
Status in OpenStack Security Advisory:
Status in nova package in Ubuntu:
Status in nova source package in Zesty:
Status in nova source package in Artful:
Big picture: If some image has some restriction on aggregates or hosts
it can be run on, tenant may use nova rebuild command to circumvent
those restrictions. Main issue is with ImagePropertiesFilter, but it
may cause issues with combination of flavor/image (for example allows
to run license restricted OS (Windows) on host which has no such
license, or rebuild instance with cheap flavor with image which is
restricted only for high-priced flavors).
I don't know if this is a security bug or not, if you would find it
non-security issue, please remove the security flag.
Steps to reproduce:
1. Set up nova with ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'.
2. Boot instance with some other (non-restricted) image on 'host2'.
3. Use nova rebuild INSTANCE image1
nova rejects rebuild because given image ('image1') may not run on
nova happily rebuild instance with image1 on host2, violating
Checked affected version: mitaka.
I believe, due to the way 'rebuild' command is working, newton and
master are affected too.
To manage notifications about this bug go to:
More information about the Ubuntu-openstack-bugs