[Openstack-security] [Bug 1501808] Re: Enabling soft-deletes opens a DOS on compute hosts
Tristan Cacqueray
tdecacqu at redhat.com
Mon Jan 11 16:37:02 UTC 2016
I've removed the privacy settings and put the OSSA tasks as Won't Fix
based on comment #3. This can be put back to incomplete if the situation
changes.
** Tags added: security
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
If the user sets reclaim_instance_interval to anything other than 0,
then when a user requests an instance delete, it will instead be soft
deleted. Soft delete explicitly releases the user's quota, but does not
release the instance's resources until period task
_reclaim_queued_deletes runs with a period of reclaim_instance_interval
seconds.
A malicious authenticated user can repeatedly create and delete
instances without limit, which will consume resources on the host
without consuming their quota. If done quickly enough, this will exhaust
host resources.
I'm not entirely sure what to suggest in remediation, as this seems to
be a deliberate design. The most obvious fix would be to not release
quota until the instance is reaped, but that would be a significant
change in behaviour.
This is very similar to https://bugs.launchpad.net/bugs/cve/2015-3280 ,
except that we do it deliberately.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1501808
Title:
Enabling soft-deletes opens a DOS on compute hosts
Status in OpenStack Compute (nova):
Triaged
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
If the user sets reclaim_instance_interval to anything other than 0,
then when a user requests an instance delete, it will instead be soft
deleted. Soft delete explicitly releases the user's quota, but does
not release the instance's resources until period task
_reclaim_queued_deletes runs with a period of
reclaim_instance_interval seconds.
A malicious authenticated user can repeatedly create and delete
instances without limit, which will consume resources on the host
without consuming their quota. If done quickly enough, this will
exhaust host resources.
I'm not entirely sure what to suggest in remediation, as this seems to
be a deliberate design. The most obvious fix would be to not release
quota until the instance is reaped, but that would be a significant
change in behaviour.
This is very similar to https://bugs.launchpad.net/bugs/cve/2015-3280
, except that we do it deliberately.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1501808/+subscriptions
More information about the Openstack-security
mailing list