[Yahoo-eng-team] [Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)
** Also affects: nova (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: nova (Ubuntu Zesty) Importance: Undecided Status: New ** Changed in: nova (Ubuntu Zesty) Status: New => Fix Released ** Changed in: nova (Ubuntu Zesty) Importance: Undecided => High ** Changed in: nova (Ubuntu Artful) Importance: Undecided => High ** Changed in: nova (Ubuntu Artful) Status: New => Fix Released ** Also affects: cloud-archive Importance: Undecided Status: New ** Also affects: cloud-archive/pike Importance: Undecided Status: New ** Also affects: cloud-archive/newton Importance: Undecided Status: New ** Also affects: cloud-archive/ocata Importance: Undecided Status: New ** Changed in: cloud-archive Importance: Undecided => High ** Changed in: cloud-archive Status: New => Fix Released ** Changed in: cloud-archive/newton Importance: Undecided => High ** Changed in: cloud-archive/newton Status: New => Fix Released ** Changed in: cloud-archive/ocata Importance: Undecided => High ** Changed in: cloud-archive/ocata Status: New => Fix Released ** Changed in: cloud-archive/pike Importance: Undecided => High ** Changed in: cloud-archive/pike Status: New => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1664931 Title: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239) Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive newton series: Fix Released Status in Ubuntu Cloud Archive ocata series: Fix Released Status in Ubuntu Cloud Archive pike series: Fix Released Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) newton series: Fix Committed Status in OpenStack Compute (nova) ocata series: Fix Committed Status in OpenStack Compute (nova) pike series: Fix Committed Status in OpenStack Security Advisory: Fix Released Status in nova package in Ubuntu: Fix Released Status in nova source package in Zesty: Fix Released Status in nova source package in Artful: Fix Released Bug description: Big picture: If some image has some restriction on aggregates or hosts it can be run on, tenant may use nova rebuild command to circumvent those restrictions. Main issue is with ImagePropertiesFilter, but it may cause issues with combination of flavor/image (for example allows to run license restricted OS (Windows) on host which has no such license, or rebuild instance with cheap flavor with image which is restricted only for high-priced flavors). I don't know if this is a security bug or not, if you would find it non-security issue, please remove the security flag. Steps to reproduce: 1. Set up nova with ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'. 2. Boot instance with some other (non-restricted) image on 'host2'. 3. Use nova rebuild INSTANCE image1 Expected result: nova rejects rebuild because given image ('image1') may not run on 'host2'. Actual result: nova happily rebuild instance with image1 on host2, violating restrictions. Checked affected version: mitaka. I believe, due to the way 'rebuild' command is working, newton and master are affected too. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1664931/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)
** Changed in: nova (Ubuntu) Status: Triaged => Fix Committed ** Changed in: nova (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1664931 Title: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239) Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) newton series: Fix Committed Status in OpenStack Compute (nova) ocata series: Fix Committed Status in OpenStack Compute (nova) pike series: Fix Committed Status in OpenStack Security Advisory: Fix Released Status in nova package in Ubuntu: Fix Released Bug description: Big picture: If some image has some restriction on aggregates or hosts it can be run on, tenant may use nova rebuild command to circumvent those restrictions. Main issue is with ImagePropertiesFilter, but it may cause issues with combination of flavor/image (for example allows to run license restricted OS (Windows) on host which has no such license, or rebuild instance with cheap flavor with image which is restricted only for high-priced flavors). I don't know if this is a security bug or not, if you would find it non-security issue, please remove the security flag. Steps to reproduce: 1. Set up nova with ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'. 2. Boot instance with some other (non-restricted) image on 'host2'. 3. Use nova rebuild INSTANCE image1 Expected result: nova rejects rebuild because given image ('image1') may not run on 'host2'. Actual result: nova happily rebuild instance with image1 on host2, violating restrictions. Checked affected version: mitaka. I believe, due to the way 'rebuild' command is working, newton and master are affected too. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1664931/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)
** Changed in: ossa Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1664931 Title: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239) Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) newton series: In Progress Status in OpenStack Compute (nova) ocata series: Fix Committed Status in OpenStack Compute (nova) pike series: Fix Committed Status in OpenStack Security Advisory: Fix Released Status in nova package in Ubuntu: New Bug description: Big picture: If some image has some restriction on aggregates or hosts it can be run on, tenant may use nova rebuild command to circumvent those restrictions. Main issue is with ImagePropertiesFilter, but it may cause issues with combination of flavor/image (for example allows to run license restricted OS (Windows) on host which has no such license, or rebuild instance with cheap flavor with image which is restricted only for high-priced flavors). I don't know if this is a security bug or not, if you would find it non-security issue, please remove the security flag. Steps to reproduce: 1. Set up nova with ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'. 2. Boot instance with some other (non-restricted) image on 'host2'. 3. Use nova rebuild INSTANCE image1 Expected result: nova rejects rebuild because given image ('image1') may not run on 'host2'. Actual result: nova happily rebuild instance with image1 on host2, violating restrictions. Checked affected version: mitaka. I believe, due to the way 'rebuild' command is working, newton and master are affected too. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1664931/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)
Reviewed: https://review.openstack.org/519662 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=984dd8ad6add4523d93c7ce5a666a32233e02e34 Submitter: Zuul Branch:master commit 984dd8ad6add4523d93c7ce5a666a32233e02e34 Author: Matt RiedemannDate: Fri Oct 27 16:03:15 2017 -0400 Validate new image via scheduler during rebuild During a rebuild we bypass the scheduler because we are always rebuilding the instance on the same host it's already on. However, we allow passing a new image during rebuild and that new image needs to be validated to work with the instance host by running it through the scheduler filters, like the ImagePropertiesFilter. Otherwise the new image could violate constraints placed on the host by the admin. This change checks to see if there is a new image provided and if so, modifies the request spec passed to the scheduler so that the new image is validated all while restricting the scheduler to still pick the same host that the instance is running on. If the image is not valid for the host, the scheduler will raise NoValidHost and the rebuild stops. A functional test is added to show the recreate of the bug and that we probably stop the rebuild now in conductor by calling the scheduler to validate the image. Co-Authored-By: Sylvain Bauza Closes-Bug: #1664931 Change-Id: I11746d1ea996a0f18b7c54b4c9c21df58cc4714b ** Changed in: nova Status: In Progress => Fix Released ** Changed in: nova/pike Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1664931 Title: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239) Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) newton series: In Progress Status in OpenStack Compute (nova) ocata series: Fix Committed Status in OpenStack Compute (nova) pike series: Fix Committed Status in OpenStack Security Advisory: Fix Committed Status in nova package in Ubuntu: New Bug description: Big picture: If some image has some restriction on aggregates or hosts it can be run on, tenant may use nova rebuild command to circumvent those restrictions. Main issue is with ImagePropertiesFilter, but it may cause issues with combination of flavor/image (for example allows to run license restricted OS (Windows) on host which has no such license, or rebuild instance with cheap flavor with image which is restricted only for high-priced flavors). I don't know if this is a security bug or not, if you would find it non-security issue, please remove the security flag. Steps to reproduce: 1. Set up nova with ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'. 2. Boot instance with some other (non-restricted) image on 'host2'. 3. Use nova rebuild INSTANCE image1 Expected result: nova rejects rebuild because given image ('image1') may not run on 'host2'. Actual result: nova happily rebuild instance with image1 on host2, violating restrictions. Checked affected version: mitaka. I believe, due to the way 'rebuild' command is working, newton and master are affected too. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1664931/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp