Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 637506 (CVE-2017-16239) - <sys-cluster/nova-{15.0.8,16.0.3}: Filter Scheduler bypass through rebuild action
Summary: <sys-cluster/nova-{15.0.8,16.0.3}: Filter Scheduler bypass through rebuild ac...
Status: RESOLVED FIXED
Alias: CVE-2017-16239
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low minor (vote)
Assignee: Gentoo Security
URL: https://bugs.launchpad.net/nova/+bug/...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-14 17:27 UTC by Francis Booth
Modified: 2020-05-05 23:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Francis Booth 2017-11-14 17:27:25 UTC 
From URL: 



Description
~~~~~~~~~~~
George Shuklin from servers.com reported a vulnerability in Nova. By
rebuilding an instance, an authenticated user may be able to
circumvent the Filter Scheduler bypassing imposed filters (for
example, the ImagePropertiesFilter or the IsolatedHostsFilter). All
setups using Nova Filter Scheduler are affected.


Patches
~~~~~~~
- https://review.openstack.org/519684 (Newton)
- https://review.openstack.org/519681 (Ocata)
- https://review.openstack.org/519672 (Pike)
- https://review.openstack.org/519662 (Queens)


~ eleix (Security Padawan)


Reproducible: Didn't try
Comment 1 D'juan McDonald (domhnall) 2017-11-14 19:03:39 UTC 
CVE-2017-16239(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16239):

In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x through 16.0.2, by rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter). All setups using Nova Filter Scheduler are affected.

@Francis, thanks for the report. Also...preserving previous URL for reference:
http://www.openwall.com/lists/oss-security/2017/11/14/5

@maintainter(s), after bump, please call for stabilization when ready, thank you.

Gentoo Security Padawa
(jmbailey/mbailey_j)
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-11-14 19:25:06 UTC 
Ya, I'm on the embargo list so have been waiting for it to become public.  I tested right after it became public as well.  The pike patch doesn't cleanly apply, but as soon as the patch merges upstream mriedem said he'd make a release, I'll package it then.  The ocata patch does apply cleanly though, but I'd rather wait for the release and just get the fix from that.

Once the patches merge people can re-emerge 2017.1.9999 or 2017.2.9999 or wait for 15.0.8 or 16.0.3 to be packaged (which I'll ask for a quick stable on).
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-11-15 02:05:14 UTC 
ok, can we get a fast stable req for the following, it has the fix.

=sys-cluster/nova-15.0.8 amd64 x86
=sys-cluster/nova-16.0.3 amd64 x86
Comment 4 D'juan McDonald (domhnall) 2019-07-17 02:12:42 UTC 
@security ping!

commit 	b26270d896c39907eca945e2f79b4f6f0c0499ee seems to have handled this bug on: 2017-11-25 with note:

sys-cluster/nova: 15.0.8 and 16.0.3 bup for CVE-2017-16239 bug 637506

Any reason to keep this open still?
Comment 5 D'juan McDonald (domhnall) 2019-07-17 02:13:29 UTC 
Ah, wrong paste date... actually it was on 2017-11-14
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 04:32:33 UTC 
Tree is clean