OpenStack Compute (nova)

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #1664931
Comment #11

Comment 11 for bug 1664931

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2017-03-15: Re: nova rebuild ignores all image properties and scheduler filters

#11

This looks like a class A type of bug according to VMT's taxonomy ( https://security.openstack.org/vmt-process.html#incident-report-taxonomy ), though I'm in favor for fixing this in the open since the impact sounds limited.

Impact description draft:

Title: Nova Filter Scheduler bypass through rebuild action
Reporter: George Shuklin (servers.com)
Products: Nova
Affects: >=13.0.0 <=13.1.3, >=14.0.0 <=14.0.4, ==15.0.0

Description:
George Shuklin from servers.com reported a vulnerability in Nova.
By rebuilding a malicious instance, an authenticated user may be able to bypass
Filter Scheduler resulting in restrictions violation such as the
ImagePropertiesFilter and the IsolatedHostsFilter. All setups using Nova
Filter Scheduler are affected.