Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1508539 - (CVE-2017-16239) CVE-2017-16239 openstack-nova: Nova Filter Scheduler bypass through rebuild action
CVE-2017-16239 openstack-nova: Nova Filter Scheduler bypass through rebuild a...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20171114:1500,...
: Security
Depends On: 1513187 1508686 1508687 1508688 1508689 1508690 1508691 1508692
Blocks: 1508541
  Show dependency treegraph
 
Reported: 2017-11-01 11:57 EDT by Adam Mariš
Modified: 2018-02-27 19:03 EST (History)
26 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
By rebuilding an instance using a new image, an authenticated user may be able to circumvent the Filter Scheduler, bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter).
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-27 19:03:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Master queens patch (15.12 KB, patch)
2017-11-01 12:01 EDT, Adam Mariš 		no flags Details | Diff
Stable newton patch (19.70 KB, patch)
2017-11-01 12:02 EDT, Adam Mariš 		no flags Details | Diff
Stable pike patch (16.17 KB, patch)
2017-11-01 12:03 EDT, Adam Mariš 		no flags Details | Diff
Stable ocata patch (19.58 KB, patch)
2017-11-01 12:03 EDT, Adam Mariš 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0241 normal SHIPPED_LIVE Moderate: openstack-nova security and bug fix update 2018-02-16 01:00:48 EST
Red Hat Product Errata RHSA-2018:0314 normal SHIPPED_LIVE Moderate: openstack-nova security and bug fix update 2018-02-13 19:17:04 EST
Red Hat Product Errata RHSA-2018:0369 normal SHIPPED_LIVE Moderate: openstack-nova and python-novaclient security, bug fix, and enhancement update 2018-02-27 16:24:56 EST

  None (edit)
Description Adam Mariš 2017-11-01 11:57:39 EDT 
By rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter). All setups using Nova Filter Scheduler are affected.

Affected versions: <=14.0.9, >=15.0.0 <=15.0.7, >=16.0.0 <=16.0.2

Bug report:

https://launchpad.net/bugs/1664931
Comment 1 Adam Mariš 2017-11-01 11:57:51 EDT 
Acknowledgments:

Name: the OpenStack project
Upstream: George Shuklin (Servers.com)
Comment 2 Adam Mariš 2017-11-01 12:01 EDT 
Created attachment 1346603 [details]
Master queens patch
Comment 3 Adam Mariš 2017-11-01 12:02 EDT 
Created attachment 1346604 [details]
Stable newton patch
Comment 4 Adam Mariš 2017-11-01 12:03 EDT 
Created attachment 1346605 [details]
Stable pike patch
Comment 5 Adam Mariš 2017-11-01 12:03 EDT 
Created attachment 1346606 [details]
Stable ocata patch
Comment 6 Joshua Padman 2017-11-01 20:10:59 EDT 
Filed trackers for all versions.
Comment 8 Joshua Padman 2017-11-14 17:34:19 EST 
Created openstack-nova tracking bugs for this issue:

Affects: openstack-rdo [bug 1513187]
Comment 9 Joshua Padman 2017-11-29 16:12:27 EST 
Closing OSP6-9 as wontfix, this is due to how intrusive the fix will be compared to its impact.
Comment 10 Joshua Padman 2017-11-29 16:45:04 EST 
Statement:

The upstream fix requires RequestSpec, which was introduced in OSP10. Patching versions, prior to version 10, comes with a considerable risk of introducing new bugs. Based on the impact of this vulnerability it was determined that OSP6 to 9 would not be fixed.
Comment 15 errata-xmlrpc 2018-01-30 14:58:32 EST 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 12.0 (Pike)

Via RHSA-2018:0241 https://access.redhat.com/errata/RHSA-2018:0241
Comment 16 errata-xmlrpc 2018-02-13 11:27:04 EST 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 11.0 (Ocata)

Via RHSA-2018:0314 https://access.redhat.com/errata/RHSA-2018:0314
Comment 17 errata-xmlrpc 2018-02-27 11:24:33 EST 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2018:0369 https://access.redhat.com/errata/RHSA-2018:0369
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.