subject:"\[Yahoo\-eng\-team\] \[Bug 1664931\] Re\: \[OSSA\-2017\-005\] nova rebuild ignores all image properties and scheduler filters \(CVE\-2017\-16239\)"

[Yahoo-eng-team] [Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)

2017-12-19 Thread Corey Bryant

** Also affects: nova (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Also affects: nova (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Changed in: nova (Ubuntu Zesty)
   Status: New => Fix Released

** Changed in: nova (Ubuntu Zesty)
   Importance: Undecided => High

** Changed in: nova (Ubuntu Artful)
   Importance: Undecided => High

** Changed in: nova (Ubuntu Artful)
   Status: New => Fix Released

** Also affects: cloud-archive
   Importance: Undecided
   Status: New

** Also affects: cloud-archive/pike
   Importance: Undecided
   Status: New

** Also affects: cloud-archive/newton
   Importance: Undecided
   Status: New

** Also affects: cloud-archive/ocata
   Importance: Undecided
   Status: New

** Changed in: cloud-archive
   Importance: Undecided => High

** Changed in: cloud-archive
   Status: New => Fix Released

** Changed in: cloud-archive/newton
   Importance: Undecided => High

** Changed in: cloud-archive/newton
   Status: New => Fix Released

** Changed in: cloud-archive/ocata
   Importance: Undecided => High

** Changed in: cloud-archive/ocata
   Status: New => Fix Released

** Changed in: cloud-archive/pike
   Importance: Undecided => High

** Changed in: cloud-archive/pike
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1664931

Title:
  [OSSA-2017-005] nova rebuild ignores all image properties and
  scheduler filters (CVE-2017-16239)

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive newton series:
  Fix Released
Status in Ubuntu Cloud Archive ocata series:
  Fix Released
Status in Ubuntu Cloud Archive pike series:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) newton series:
  Fix Committed
Status in OpenStack Compute (nova) ocata series:
  Fix Committed
Status in OpenStack Compute (nova) pike series:
  Fix Committed
Status in OpenStack Security Advisory:
  Fix Released
Status in nova package in Ubuntu:
  Fix Released
Status in nova source package in Zesty:
  Fix Released
Status in nova source package in Artful:
  Fix Released

Bug description:
  Big picture: If some image has some restriction on aggregates or hosts
  it can be run on, tenant may use  nova rebuild command to circumvent
  those restrictions. Main issue is with ImagePropertiesFilter, but it
  may cause issues with combination of flavor/image (for example allows
  to run license restricted OS (Windows) on host which has no such
  license, or rebuild instance with cheap flavor with image which is
  restricted only for high-priced flavors).

  I don't know if this is a security bug or not, if you would find it
  non-security issue, please remove the security flag.

  Steps to reproduce:

  1. Set up nova with  ImagePropertiesFilter or IsolatedHostsFilter active. 
They should allows to run 'image1' only on 'host1', but never on 'host2'.
  2. Boot instance with some other (non-restricted) image on 'host2'.
  3. Use nova rebuild INSTANCE image1

  Expected result:

  nova rejects rebuild because given image ('image1') may not run on
  'host2'.

  Actual result:

  nova happily rebuild instance with image1 on host2, violating
  restrictions.

  Checked affected version: mitaka.

  I believe, due to the way 'rebuild' command is working, newton and
  master are affected too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1664931/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)

2017-12-13 Thread Corey Bryant

** Changed in: nova (Ubuntu)
   Status: Triaged => Fix Committed

** Changed in: nova (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1664931

Title:
  [OSSA-2017-005] nova rebuild ignores all image properties and
  scheduler filters (CVE-2017-16239)

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) newton series:
  Fix Committed
Status in OpenStack Compute (nova) ocata series:
  Fix Committed
Status in OpenStack Compute (nova) pike series:
  Fix Committed
Status in OpenStack Security Advisory:
  Fix Released
Status in nova package in Ubuntu:
  Fix Released

Bug description:
  Big picture: If some image has some restriction on aggregates or hosts
  it can be run on, tenant may use  nova rebuild command to circumvent
  those restrictions. Main issue is with ImagePropertiesFilter, but it
  may cause issues with combination of flavor/image (for example allows
  to run license restricted OS (Windows) on host which has no such
  license, or rebuild instance with cheap flavor with image which is
  restricted only for high-priced flavors).

  I don't know if this is a security bug or not, if you would find it
  non-security issue, please remove the security flag.

  Steps to reproduce:

  1. Set up nova with  ImagePropertiesFilter or IsolatedHostsFilter active. 
They should allows to run 'image1' only on 'host1', but never on 'host2'.
  2. Boot instance with some other (non-restricted) image on 'host2'.
  3. Use nova rebuild INSTANCE image1

  Expected result:

  nova rejects rebuild because given image ('image1') may not run on
  'host2'.

  Actual result:

  nova happily rebuild instance with image1 on host2, violating
  restrictions.

  Checked affected version: mitaka.

  I believe, due to the way 'rebuild' command is working, newton and
  master are affected too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1664931/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)

2017-11-15 Thread Jeremy Stanley

** Changed in: ossa
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1664931

Title:
  [OSSA-2017-005] nova rebuild ignores all image properties and
  scheduler filters (CVE-2017-16239)

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) newton series:
  In Progress
Status in OpenStack Compute (nova) ocata series:
  Fix Committed
Status in OpenStack Compute (nova) pike series:
  Fix Committed
Status in OpenStack Security Advisory:
  Fix Released
Status in nova package in Ubuntu:
  New

Bug description:
  Big picture: If some image has some restriction on aggregates or hosts
  it can be run on, tenant may use  nova rebuild command to circumvent
  those restrictions. Main issue is with ImagePropertiesFilter, but it
  may cause issues with combination of flavor/image (for example allows
  to run license restricted OS (Windows) on host which has no such
  license, or rebuild instance with cheap flavor with image which is
  restricted only for high-priced flavors).

  I don't know if this is a security bug or not, if you would find it
  non-security issue, please remove the security flag.

  Steps to reproduce:

  1. Set up nova with  ImagePropertiesFilter or IsolatedHostsFilter active. 
They should allows to run 'image1' only on 'host1', but never on 'host2'.
  2. Boot instance with some other (non-restricted) image on 'host2'.
  3. Use nova rebuild INSTANCE image1

  Expected result:

  nova rejects rebuild because given image ('image1') may not run on
  'host2'.

  Actual result:

  nova happily rebuild instance with image1 on host2, violating
  restrictions.

  Checked affected version: mitaka.

  I believe, due to the way 'rebuild' command is working, newton and
  master are affected too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1664931/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)

2017-11-14 Thread OpenStack Infra

Reviewed:  https://review.openstack.org/519662
Committed: 
https://git.openstack.org/cgit/openstack/nova/commit/?id=984dd8ad6add4523d93c7ce5a666a32233e02e34
Submitter: Zuul
Branch:master

commit 984dd8ad6add4523d93c7ce5a666a32233e02e34
Author: Matt Riedemann 
Date:   Fri Oct 27 16:03:15 2017 -0400

Validate new image via scheduler during rebuild

During a rebuild we bypass the scheduler because we are
always rebuilding the instance on the same host it's already
on. However, we allow passing a new image during rebuild
and that new image needs to be validated to work with the
instance host by running it through the scheduler filters,
like the ImagePropertiesFilter. Otherwise the new image
could violate constraints placed on the host by the admin.

This change checks to see if there is a new image provided
and if so, modifies the request spec passed to the scheduler
so that the new image is validated all while restricting
the scheduler to still pick the same host that the instance
is running on. If the image is not valid for the host, the
scheduler will raise NoValidHost and the rebuild stops.

A functional test is added to show the recreate of the bug
and that we probably stop the rebuild now in conductor by
calling the scheduler to validate the image.

Co-Authored-By: Sylvain Bauza 

Closes-Bug: #1664931

Change-Id: I11746d1ea996a0f18b7c54b4c9c21df58cc4714b


** Changed in: nova
   Status: In Progress => Fix Released

** Changed in: nova/pike
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1664931

Title:
  [OSSA-2017-005] nova rebuild ignores all image properties and
  scheduler filters (CVE-2017-16239)

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) newton series:
  In Progress
Status in OpenStack Compute (nova) ocata series:
  Fix Committed
Status in OpenStack Compute (nova) pike series:
  Fix Committed
Status in OpenStack Security Advisory:
  Fix Committed
Status in nova package in Ubuntu:
  New

Bug description:
  Big picture: If some image has some restriction on aggregates or hosts
  it can be run on, tenant may use  nova rebuild command to circumvent
  those restrictions. Main issue is with ImagePropertiesFilter, but it
  may cause issues with combination of flavor/image (for example allows
  to run license restricted OS (Windows) on host which has no such
  license, or rebuild instance with cheap flavor with image which is
  restricted only for high-priced flavors).

  I don't know if this is a security bug or not, if you would find it
  non-security issue, please remove the security flag.

  Steps to reproduce:

  1. Set up nova with  ImagePropertiesFilter or IsolatedHostsFilter active. 
They should allows to run 'image1' only on 'host1', but never on 'host2'.
  2. Boot instance with some other (non-restricted) image on 'host2'.
  3. Use nova rebuild INSTANCE image1

  Expected result:

  nova rejects rebuild because given image ('image1') may not run on
  'host2'.

  Actual result:

  nova happily rebuild instance with image1 on host2, violating
  restrictions.

  Checked affected version: mitaka.

  I believe, due to the way 'rebuild' command is working, newton and
  master are affected too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1664931/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)

[Yahoo-eng-team] [Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)

[Yahoo-eng-team] [Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)

[Yahoo-eng-team] [Bug 1664931] Re: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239)

4 matches

Site Navigation

Mail list logo

Footer information