Bug 1869426 (CVE-2020-17376) - CVE-2020-17376 openstack-nova: Soft reboot after live-migration reverts instance to original source domain XML
Summary: CVE-2020-17376 openstack-nova: Soft reboot after live-migration reverts insta...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-17376
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1823988 1862353 1870819 1870820 1870821 1870822 1870823 1889289
Blocks: 1866598
TreeView+ depends on / blocked
 
Reported: 2020-08-17 23:41 UTC by Nick Tait
Modified: 2021-02-16 19:29 UTC (History)
20 users (show)

Fixed In Version: openstack-nova 20.3.1, openstack-nova 20.1.2, openstack-nova 19.3.1, openstack-nova 17.0.13, openstack-nova 14.1.0
Doc Type: If docs needed, set a value
Doc Text:
An information disclosure flaw was found in the live migration feature of OpenStack Nova. A user may gain access to destination host devices with the same path as those on the source host. This flaw allows an attacker to perform a soft reboot of an instance that has previously undergone live migration. The greatest impact of this vulnerability is to the confidentiality of many possible device types, but those at special risk are block storage devices, potentially revealing data of other users.
Clone Of:
Environment:
Last Closed: 2020-09-10 07:17:44 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3702 0 None None None 2020-09-10 04:50:06 UTC
Red Hat Product Errata RHSA-2020:3704 0 None None None 2020-09-10 05:09:18 UTC
Red Hat Product Errata RHSA-2020:3706 0 None None None 2020-09-10 06:47:14 UTC
Red Hat Product Errata RHSA-2020:3708 0 None None None 2020-09-10 07:29:05 UTC
Red Hat Product Errata RHSA-2020:3711 0 None None None 2020-09-10 08:10:12 UTC

Description Nick Tait 2020-08-17 23:41:14 UTC
Running a soft reboot on an instance after it has been through a live migration rolls back the libvirt domain to a state before the migration. This can potentially give an attacker read/write access to resources they should not have.

Comment 1 Nick Tait 2020-08-17 23:41:17 UTC
External References:

https://bugs.launchpad.net/nova/+bug/1890501

Comment 5 Nick Tait 2020-08-20 19:49:56 UTC
Acknowledgments:

Name: Tadayoshi Hosoya (NEC), Lee Yarwood (Red Hat)

Comment 9 Nick Tait 2020-08-31 16:29:30 UTC
Mitigation:

Public clouds using non-default configurations (allowing untrusted users to initiate live migrations) face significant additional risk. If it is not possible to immediately apply patches, a temporary policy change is recommended: disable soft reboots by setting wait_soft_reboot_seconds to zero. This effectively forces any soft reboots to instead be overridden as a hard reboot. Find more information in Nova's documentation https://docs.openstack.org/nova/ussuri/configuration/config.html

Deployments which use unique device paths for each cinder volume face an extremely low risk of being affected by this flaw.

Comment 25 errata-xmlrpc 2020-09-10 04:50:03 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2020:3702 https://access.redhat.com/errata/RHSA-2020:3702

Comment 26 errata-xmlrpc 2020-09-10 05:09:15 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.0 (Train)

Via RHSA-2020:3704 https://access.redhat.com/errata/RHSA-2020:3704

Comment 27 errata-xmlrpc 2020-09-10 06:47:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 15.0 (Stein)

Via RHSA-2020:3706 https://access.redhat.com/errata/RHSA-2020:3706

Comment 28 Product Security DevOps Team 2020-09-10 07:17:44 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-17376

Comment 29 errata-xmlrpc 2020-09-10 07:29:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2020:3708 https://access.redhat.com/errata/RHSA-2020:3708

Comment 30 errata-xmlrpc 2020-09-10 08:10:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2020:3711 https://access.redhat.com/errata/RHSA-2020:3711

Comment 32 Nick Tait 2020-10-23 15:45:44 UTC
Statement:

Red Hat OpenStack Platform 10 was initially marked as affected, however it has since been discovered that the flaw is actually not present in this version. For this reason, the update in RHSA-2020:3711 can be either applied or ignored for RHOSP 10.


Note You need to log in before you can comment on or make changes to this bug.