** Changed in: nova (Ubuntu) Status: Triaged => Fix Committed ** Changed in: nova (Ubuntu) Status: Fix Committed => Fix Released
-- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1664931 Title: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239) Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) newton series: Fix Committed Status in OpenStack Compute (nova) ocata series: Fix Committed Status in OpenStack Compute (nova) pike series: Fix Committed Status in OpenStack Security Advisory: Fix Released Status in nova package in Ubuntu: Fix Released Bug description: Big picture: If some image has some restriction on aggregates or hosts it can be run on, tenant may use nova rebuild command to circumvent those restrictions. Main issue is with ImagePropertiesFilter, but it may cause issues with combination of flavor/image (for example allows to run license restricted OS (Windows) on host which has no such license, or rebuild instance with cheap flavor with image which is restricted only for high-priced flavors). I don't know if this is a security bug or not, if you would find it non-security issue, please remove the security flag. Steps to reproduce: 1. Set up nova with ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'. 2. Boot instance with some other (non-restricted) image on 'host2'. 3. Use nova rebuild INSTANCE image1 Expected result: nova rejects rebuild because given image ('image1') may not run on 'host2'. Actual result: nova happily rebuild instance with image1 on host2, violating restrictions. Checked affected version: mitaka. I believe, due to the way 'rebuild' command is working, newton and master are affected too. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1664931/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp