Bug 1869426 (CVE-2020-17376) - CVE-2020-17376 openstack-nova: Soft reboot after live-migration reverts instance to original source domain XML
Summary: CVE-2020-17376 openstack-nova: Soft reboot after live-migration reverts insta...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-17376
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1823988 1862353 1870819 1870820 1870821 1870822 1870823 1889289
Blocks: 1866598
TreeView+ depends on / blocked
 
Reported: 2020-08-17 23:41 UTC by Nick Tait
Modified: 2021-02-16 19:29 UTC (History)
20 users (show)

Fixed In Version: openstack-nova 20.3.1, openstack-nova 20.1.2, openstack-nova 19.3.1, openstack-nova 17.0.13, openstack-nova 14.1.0
Clone Of:
Environment:
Last Closed: 2020-09-10 07:17:44 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3702 0 None None None 2020-09-10 04:50:06 UTC
Red Hat Product Errata RHSA-2020:3704 0 None None None 2020-09-10 05:09:18 UTC
Red Hat Product Errata RHSA-2020:3706 0 None None None 2020-09-10 06:47:14 UTC
Red Hat Product Errata RHSA-2020:3708 0 None None None 2020-09-10 07:29:05 UTC
Red Hat Product Errata RHSA-2020:3711 0 None None None 2020-09-10 08:10:12 UTC

Description Nick Tait 2020-08-17 23:41:14 UTC 
Running a soft reboot on an instance after it has been through a live migration rolls back the libvirt domain to a state before the migration. This can potentially give an attacker read/write access to resources they should not have.
Comment 1 Nick Tait 2020-08-17 23:41:17 UTC 
External References:

https://bugs.launchpad.net/nova/+bug/1890501
Comment 5 Nick Tait 2020-08-20 19:49:56 UTC 
Acknowledgments:

Name: Tadayoshi Hosoya (NEC), Lee Yarwood (Red Hat)
Comment 9 Nick Tait 2020-08-31 16:29:30 UTC 
Mitigation:

Public clouds using non-default configurations (allowing untrusted users to initiate live migrations) face significant additional risk. If it is not possible to immediately apply patches, a temporary policy change is recommended: disable soft reboots by setting wait_soft_reboot_seconds to zero. This effectively forces any soft reboots to instead be overridden as a hard reboot. Find more information in Nova's documentation https://docs.openstack.org/nova/ussuri/configuration/config.html

Deployments which use unique device paths for each cinder volume face an extremely low risk of being affected by this flaw.
Comment 25 errata-xmlrpc 2020-09-10 04:50:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2020:3702 https://access.redhat.com/errata/RHSA-2020:3702
Comment 26 errata-xmlrpc 2020-09-10 05:09:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.0 (Train)

Via RHSA-2020:3704 https://access.redhat.com/errata/RHSA-2020:3704
Comment 27 errata-xmlrpc 2020-09-10 06:47:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 15.0 (Stein)

Via RHSA-2020:3706 https://access.redhat.com/errata/RHSA-2020:3706
Comment 28 Product Security DevOps Team 2020-09-10 07:17:44 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-17376
Comment 29 errata-xmlrpc 2020-09-10 07:29:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2020:3708 https://access.redhat.com/errata/RHSA-2020:3708
Comment 30 errata-xmlrpc 2020-09-10 08:10:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2020:3711 https://access.redhat.com/errata/RHSA-2020:3711
Comment 32 Nick Tait 2020-10-23 15:45:44 UTC 
Statement:

Red Hat OpenStack Platform 10 was initially marked as affected, however it has since been discovered that the flaw is actually not present in this version. For this reason, the update in RHSA-2020:3711 can be either applied or ignored for RHOSP 10.
Note You need to log in before you can comment on or make changes to this bug.