[openstack-announce] [OSSA-2017-005] Nova Filter Scheduler bypass through rebuild action (CVE-2017-16239)

Tristan Cacqueray tdecacqu at redhat.com
Tue Nov 14 16:28:44 UTC 2017


==================================================================
OSSA-2017-005: Nova Filter Scheduler bypass through rebuild action
==================================================================

:Date: November 14, 2017
:CVE: CVE-2017-16239


Affects
~~~~~~~
- Nova: <=14.0.9, >=15.0.0 <=15.0.7, >=16.0.0 <=16.0.2


Description
~~~~~~~~~~~
George Shuklin from servers.com reported a vulnerability in Nova. By
rebuilding an instance, an authenticated user may be able to
circumvent the Filter Scheduler bypassing imposed filters (for
example, the ImagePropertiesFilter or the IsolatedHostsFilter). All
setups using Nova Filter Scheduler are affected.


Patches
~~~~~~~
- https://review.openstack.org/519684 (Newton)
- https://review.openstack.org/519681 (Ocata)
- https://review.openstack.org/519672 (Pike)
- https://review.openstack.org/519662 (Queens)


Credits
~~~~~~~
- George Shuklin from Servers.com (CVE-2017-16239)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1664931
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16239

--
Tristan Cacqueray
OpenStack Vulnerability Management Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20171114/1c6a86eb/attachment.sig>


More information about the OpenStack-announce mailing list