Bug 1508539 (CVE-2017-16239)
Summary: | CVE-2017-16239 openstack-nova: Nova Filter Scheduler bypass through rebuild action | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||||
Severity: | medium | Docs Contact: | |||||||||||
Priority: | medium | ||||||||||||
Version: | unspecified | CC: | apevec, berrange, chrisw, dasmith, eglynn, jjoyce, jpadman, jschluet, kbasil, kchamart, lhh, lpeer, lyarwood, markmc, mburns, nlevinki, rbryant, sbauza, sclewis, security-response-team, sferdjao, sgordon, slinaber, srevivo, tdecacqu, vromanso | ||||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||||
Target Release: | --- | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||||
Doc Text: |
By rebuilding an instance using a new image, an authenticated user may be able to circumvent the Filter Scheduler, bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter).
|
Story Points: | --- | ||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2018-02-28 00:03:26 UTC | Type: | --- | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Bug Depends On: | 1508686, 1508687, 1508688, 1508689, 1508690, 1508691, 1508692, 1513187 | ||||||||||||
Bug Blocks: | 1508541 | ||||||||||||
Attachments: |
|
Description
Adam Mariš
2017-11-01 15:57:39 UTC
Acknowledgments: Name: the OpenStack project Upstream: George Shuklin (Servers.com) Created attachment 1346603 [details]
Master queens patch
Created attachment 1346604 [details]
Stable newton patch
Created attachment 1346605 [details]
Stable pike patch
Created attachment 1346606 [details]
Stable ocata patch
Filed trackers for all versions. Created openstack-nova tracking bugs for this issue: Affects: openstack-rdo [bug 1513187] Closing OSP6-9 as wontfix, this is due to how intrusive the fix will be compared to its impact. Statement: The upstream fix requires RequestSpec, which was introduced in OSP10. Patching versions, prior to version 10, comes with a considerable risk of introducing new bugs. Based on the impact of this vulnerability it was determined that OSP6 to 9 would not be fixed. This issue has been addressed in the following products: Red Hat OpenStack Platform 12.0 (Pike) Via RHSA-2018:0241 https://access.redhat.com/errata/RHSA-2018:0241 This issue has been addressed in the following products: Red Hat OpenStack Platform 11.0 (Ocata) Via RHSA-2018:0314 https://access.redhat.com/errata/RHSA-2018:0314 This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2018:0369 https://access.redhat.com/errata/RHSA-2018:0369 |