OSSA 2013-037 ** Changed in: ossa Status: Fix Committed => Fix Released
** Summary changed: - DoS attack via setting os_type in snapshots (CVE-2013-6437) + [OSSA 2013-037] DoS attack via setting os_type in snapshots (CVE-2013-6437) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1253980 Title: [OSSA 2013-037] DoS attack via setting os_type in snapshots (CVE-2013-6437) Status in OpenStack Compute (Nova): Fix Committed Status in OpenStack Compute (nova) grizzly series: Fix Committed Status in OpenStack Compute (nova) havana series: Fix Committed Status in OpenStack Security Advisories: Fix Released Bug description: If the os_type metadata is set of an image, the ephemeral disk backing file for that image will be named ephemeral_[size]_[os_type]. Because the user can change os_type they can use this to create new ephemeral backing files. Nova image cache management does not include deleting ephemeral backing files (presumably because they are expected to be a small, stable set. Hence a user can fill the disk with ephemeral backing files via the following: 1) Spawn a instance 2) Create a snapshot from it, delete the original instance 3) In a loop: generate a random os_type set os_type to the snapshot spawn and instance from it, and then delete the instance Every iteration will generate an ephemeral backing file on a compute host. With a stacking scheduling policy there is a good chance of hitting the same host repeatedly until its disk is full. Suggested mitigation Only use “os_type” in the ephemeral file name if there is a specific mkfs command defined, otherwise use “default” (Currently for undefined os-types it will use the default mkfs command, but still uses os_type in the name. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1253980/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp