Bug 1508539 (CVE-2017-16239)

Summary: CVE-2017-16239 openstack-nova: Nova Filter Scheduler bypass through rebuild action
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, berrange, chrisw, dasmith, eglynn, jjoyce, jpadman, jschluet, kbasil, kchamart, lhh, lpeer, lyarwood, markmc, mburns, nlevinki, rbryant, sbauza, sclewis, security-response-team, sferdjao, sgordon, slinaber, srevivo, tdecacqu, vromanso
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
By rebuilding an instance using a new image, an authenticated user may be able to circumvent the Filter Scheduler, bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-28 00:03:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1508686, 1508687, 1508688, 1508689, 1508690, 1508691, 1508692, 1513187    
Bug Blocks: 1508541    
Attachments:
Description Flags
Master queens patch
none
Stable newton patch
none
Stable pike patch
none
Stable ocata patch none

Description Adam Mariš 2017-11-01 15:57:39 UTC 
By rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter). All setups using Nova Filter Scheduler are affected.

Affected versions: <=14.0.9, >=15.0.0 <=15.0.7, >=16.0.0 <=16.0.2

Bug report:

https://launchpad.net/bugs/1664931
Comment 1 Adam Mariš 2017-11-01 15:57:51 UTC 
Acknowledgments:

Name: the OpenStack project
Upstream: George Shuklin (Servers.com)
Comment 2 Adam Mariš 2017-11-01 16:01:51 UTC 
Created attachment 1346603 [details]
Master queens patch
Comment 3 Adam Mariš 2017-11-01 16:02:37 UTC 
Created attachment 1346604 [details]
Stable newton patch
Comment 4 Adam Mariš 2017-11-01 16:03:09 UTC 
Created attachment 1346605 [details]
Stable pike patch
Comment 5 Adam Mariš 2017-11-01 16:03:44 UTC 
Created attachment 1346606 [details]
Stable ocata patch
Comment 6 Joshua Padman 2017-11-02 00:10:59 UTC 
Filed trackers for all versions.
Comment 8 Joshua Padman 2017-11-14 22:34:19 UTC 
Created openstack-nova tracking bugs for this issue:

Affects: openstack-rdo [bug 1513187]
Comment 9 Joshua Padman 2017-11-29 21:12:27 UTC 
Closing OSP6-9 as wontfix, this is due to how intrusive the fix will be compared to its impact.
Comment 10 Joshua Padman 2017-11-29 21:45:04 UTC 
Statement:

The upstream fix requires RequestSpec, which was introduced in OSP10. Patching versions, prior to version 10, comes with a considerable risk of introducing new bugs. Based on the impact of this vulnerability it was determined that OSP6 to 9 would not be fixed.
Comment 15 errata-xmlrpc 2018-01-30 19:58:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 12.0 (Pike)

Via RHSA-2018:0241 https://access.redhat.com/errata/RHSA-2018:0241
Comment 16 errata-xmlrpc 2018-02-13 16:27:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 11.0 (Ocata)

Via RHSA-2018:0314 https://access.redhat.com/errata/RHSA-2018:0314
Comment 17 errata-xmlrpc 2018-02-27 16:24:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2018:0369 https://access.redhat.com/errata/RHSA-2018:0369