Bug 1508539 (CVE-2017-16239) - CVE-2017-16239 openstack-nova: Nova Filter Scheduler bypass through rebuild action
Summary: CVE-2017-16239 openstack-nova: Nova Filter Scheduler bypass through rebuild a...
Status: CLOSED ERRATA
Alias: CVE-2017-16239
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20171114:1500,...
Keywords: Security
Depends On: 1513187 1508686 1508687 1508688 1508689 1508690 1508691 1508692
Blocks: 1508541
TreeView+ depends on / blocked
 
Reported: 2017-11-01 15:57 UTC by Adam Mariš
Modified: 2018-02-28 00:03 UTC (History)
26 users (show)

(edit)
By rebuilding an instance using a new image, an authenticated user may be able to circumvent the Filter Scheduler, bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter).
Clone Of:
(edit)
Last Closed: 2018-02-28 00:03:26 UTC


Attachments (Terms of Use)
Master queens patch (15.12 KB, patch)
2017-11-01 16:01 UTC, Adam Mariš
no flags Details | Diff
Stable newton patch (19.70 KB, patch)
2017-11-01 16:02 UTC, Adam Mariš
no flags Details | Diff
Stable pike patch (16.17 KB, patch)
2017-11-01 16:03 UTC, Adam Mariš
no flags Details | Diff
Stable ocata patch (19.58 KB, patch)
2017-11-01 16:03 UTC, Adam Mariš
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0241 normal SHIPPED_LIVE Moderate: openstack-nova security and bug fix update 2018-02-16 06:00:48 UTC
Red Hat Product Errata RHSA-2018:0314 normal SHIPPED_LIVE Moderate: openstack-nova security and bug fix update 2018-02-14 00:17:04 UTC
Red Hat Product Errata RHSA-2018:0369 normal SHIPPED_LIVE Moderate: openstack-nova and python-novaclient security, bug fix, and enhancement update 2018-02-27 21:24:56 UTC

Description Adam Mariš 2017-11-01 15:57:39 UTC
By rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter). All setups using Nova Filter Scheduler are affected.

Affected versions: <=14.0.9, >=15.0.0 <=15.0.7, >=16.0.0 <=16.0.2

Bug report:

https://launchpad.net/bugs/1664931

Comment 1 Adam Mariš 2017-11-01 15:57:51 UTC
Acknowledgments:

Name: the OpenStack project
Upstream: George Shuklin (Servers.com)

Comment 2 Adam Mariš 2017-11-01 16:01 UTC
Created attachment 1346603 [details]
Master queens patch

Comment 3 Adam Mariš 2017-11-01 16:02 UTC
Created attachment 1346604 [details]
Stable newton patch

Comment 4 Adam Mariš 2017-11-01 16:03 UTC
Created attachment 1346605 [details]
Stable pike patch

Comment 5 Adam Mariš 2017-11-01 16:03 UTC
Created attachment 1346606 [details]
Stable ocata patch

Comment 6 Joshua Padman 2017-11-02 00:10:59 UTC
Filed trackers for all versions.

Comment 8 Joshua Padman 2017-11-14 22:34:19 UTC
Created openstack-nova tracking bugs for this issue:

Affects: openstack-rdo [bug 1513187]

Comment 9 Joshua Padman 2017-11-29 21:12:27 UTC
Closing OSP6-9 as wontfix, this is due to how intrusive the fix will be compared to its impact.

Comment 10 Joshua Padman 2017-11-29 21:45:04 UTC
Statement:

The upstream fix requires RequestSpec, which was introduced in OSP10. Patching versions, prior to version 10, comes with a considerable risk of introducing new bugs. Based on the impact of this vulnerability it was determined that OSP6 to 9 would not be fixed.

Comment 15 errata-xmlrpc 2018-01-30 19:58:32 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 12.0 (Pike)

Via RHSA-2018:0241 https://access.redhat.com/errata/RHSA-2018:0241

Comment 16 errata-xmlrpc 2018-02-13 16:27:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 11.0 (Ocata)

Via RHSA-2018:0314 https://access.redhat.com/errata/RHSA-2018:0314

Comment 17 errata-xmlrpc 2018-02-27 16:24:33 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2018:0369 https://access.redhat.com/errata/RHSA-2018:0369


Note You need to log in before you can comment on or make changes to this bug.