By rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter). All setups using Nova Filter Scheduler are affected. Affected versions: <=14.0.9, >=15.0.0 <=15.0.7, >=16.0.0 <=16.0.2 Bug report: https://launchpad.net/bugs/1664931
Acknowledgments: Name: the OpenStack project Upstream: George Shuklin (Servers.com)
Created attachment 1346603 [details] Master queens patch
Created attachment 1346604 [details] Stable newton patch
Created attachment 1346605 [details] Stable pike patch
Created attachment 1346606 [details] Stable ocata patch
Filed trackers for all versions.
Created openstack-nova tracking bugs for this issue: Affects: openstack-rdo [bug 1513187]
Closing OSP6-9 as wontfix, this is due to how intrusive the fix will be compared to its impact.
Statement: The upstream fix requires RequestSpec, which was introduced in OSP10. Patching versions, prior to version 10, comes with a considerable risk of introducing new bugs. Based on the impact of this vulnerability it was determined that OSP6 to 9 would not be fixed.
This issue has been addressed in the following products: Red Hat OpenStack Platform 12.0 (Pike) Via RHSA-2018:0241 https://access.redhat.com/errata/RHSA-2018:0241
This issue has been addressed in the following products: Red Hat OpenStack Platform 11.0 (Ocata) Via RHSA-2018:0314 https://access.redhat.com/errata/RHSA-2018:0314
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2018:0369 https://access.redhat.com/errata/RHSA-2018:0369