- OpenStack-announce - lists.openstack.org

OSSN-0094: Ensuring Volume Safety with Nova and Watcher
by Jay Faulkner 20 Aug '25

20 Aug '25

OSSN-0094: Ensuring Volume Safety with Nova and Watcher == Summary == A vulnerability has been identified in OpenStack Nova and OpenStack Watcher in conjunction with volume swap operations performed by the Watcher service. Under specific circumstances, this can lead to a situation where two Nova libvirt instances could reference the same block device, allowing accidental information disclosure to the unauthorized instance. == Affected Services / Software == Services: Nova,Watcher Releases: all supported releases == Discussion == The issue occurs when Watcher's zone migration strategy performs the following sequence of events: 1. Watcher initiates a volume swap using Nova's internal-only volume swap API 2. Watcher initiates a live migration of the same instance 3. In some error cases connection details may have failed to update storage references. These invalid details are used during the live migration. === Required Access === The swap volume, live migration and all Watcher APIs are admin only so with default policy is only possible to create the inconsistent state described in this OSSN if you have admin rights on the relevant OpenStack project. === Further Watcher Hardening === The Watcher service, when first created, often implemented its own means to perform operations. Many of those operations can now be done natively via other OpenStack services. In the specific context of OSSN-0094, the ability to migrate Cinder volumes between storage backends is such an example. Additionally, the Cinder volume migration in Watcher created a new Keystone user with the admin role assigned for the instance owners' project and then used that user to perform API requests on behalf of the project. This code has been removed. Finally, due to limited error handling and no validation that the objects involved were migrated properly, some error scenarios could have led to a source volume being deleted despite not having been migrated properly. === Resolution === Nova will now reject any request to swap a volume that has an empty migration status, effectively restricting the usage of this API to Cinder. This brings the API validation in line with the documentation. Watchers internal implementation of swap volume has been deleted and updated to use Cinder's native volume migration as a replacement. Watcher no longer creates temporary Keystone users in normal operation. === Patches === Patches for Nova and Watcher have been backported to all supported stable branches and committed to master branch. stable/2025.1: * Watcher: https://review.opendev.org/c/openstack/watcher/+/957770 * Nova: https://review.opendev.org/c/openstack/nova/+/957759 stable/2024.2: * Watcher: https://review.opendev.org/c/openstack/watcher/+/957773 * Nova: https://review.opendev.org/c/openstack/nova/+/957762 stable/2024.1: * Watcher: https://review.opendev.org/c/openstack/watcher/+/957774 * Nova: https://review.opendev.org/c/openstack/nova/+/957764 == Recommended Actions == * Operators using Watcher's zone migration strategy should apply the provided Watcher and Nova patches as soon as possible. * Operators should refrain from using the swap volume migration action in Watcher. The compatibility code for swap volume that uses a Cinder-based migration may be removed in a future API version. * Operators should audit all users with the admin role and ensure no temporary Watcher-created users remain. * Operators using custom policy for volume attachment (''/servers/{server_id}/os-volume_attachments/{volume_id}'') or live migration API should review the state of existing instances which have had volume migrations. Any instance in an inconsistent state can be resolved by hard rebooting the instance using Nova's API. == Contacts / References == * Author: Sean Mooney <smooney(a)redhat.com>, Jay Faulkner <jay(a)jvf.cc> * This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0094 * Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/2112187 * Mailing List : [Security] tag on openstack-discuss(a)lists.openstack.org * OpenStack Security Project : https://launchpad.net/~openstack-ossg * CVE: None

1 0

[administrivia] Messages accidentally approved through moderation
by Jeremy Stanley 20 May '25

20 May '25

Apologies, I accidentally approved two off-topic crossposts through the openstack-announce moderation queue just now. I've deleted them from the archive for avoidance of confusion. -- Jeremy Stanley

1 0

[OSSA-2025-001] Ironic fails to restrict paths used for file:// image URLs (CVE-2025-44021)
by Jay Faulkner 08 May '25

08 May '25

========================================================================= OSSA-2025-001: Ironic fails to restrict paths used forfile:// image URLs ========================================================================= :Date: May 08, 2024 :CVE: CVE-2025-44021 Affects ~~~~~~~ - Ironic: <24.1.3, >=25.0.0 <26.1.1, >=27.0.0, <29.0.1 Description ~~~~~~~~~~~ Julia Kreger of Red Hat noticed a vulnerability in image handling for Ironic. A malicious project assigned as a node owner can provide a path to any local file readable by the ironic-conductor which may then be written to the target node disk. This is only possible via deployments performed directly via Ironic's API and cannot be triggered via Nova's virt driver. This is difficult to exploit in practice, as a node deployed in this manner should not ever reach ACTIVE state, but it still represents a danger in environments running with non-default, insecure configurations such as with automated cleaning disabled. Patches ~~~~~~~ -https://review.opendev.org/c/openstack/ironic/+/949175 (2024.1/caracal) -https://review.opendev.org/c/openstack/ironic/+/949174 (2024.2/dalmatian) -https://review.opendev.org/c/openstack/ironic/+/949173 (2025.1/epoxy) - Patch attached tohttps://bugs.launchpad.net/ironic/+bug/2107847/comments/47 (Bobcat/2023.2-eol) -https://review.opendev.org/c/openstack/ironic/+/949186 (Bugfix/26.0) -https://review.opendev.org/c/openstack/ironic/+/949185 (Bugfix/27.0) -https://review.opendev.org/c/openstack/ironic/+/949184 (Bugfix/28.0) -https://review.opendev.org/c/openstack/ironic/+/949172 (Master) -https://review.opendev.org/c/openstack/ironic/+/949182 (Unmaintained/2023.1 antelope) -https://review.opendev.org/c/openstack/ironic/+/949179 (Unmaintained/xena) -https://review.opendev.org/c/openstack/ironic/+/949177 (Unmaintained/yoga) -https://review.opendev.org/c/openstack/ironic/+/949176 (Unmaintained/zed) Credits ~~~~~~~ - Julia Kreger from Red Hat (CVE-2025-44021) References ~~~~~~~~~~ -https://launchpad.net/bugs/2107847 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-44021 Notes ~~~~~ - Patches have been provided for all supported Ironic branches. As a courtesy, we have also provided patches for some unmaintained branches and the recently end-of-life 2023.2/bobcat release. As usual, we will provide updated releases off maintained branches, but will not create new releases off bugfix or unmaintained branches.

1 0

OpenStack 2025.1 Epoxy is officially released!
by Elõd Illés 02 Apr '25

02 Apr '25

Hello OpenStack community, I'm excited to announce the final releases for the components of OpenStack 2025.1 Epoxy, which conclude the 2025.1 Epoxy development cycle. You will find a complete list of all components, their latest versions, and links to individual project release notes documents listed on the new release site. https://releases.openstack.org/epoxy/ Congratulations to all of the teams who have contributed to this release! Our next production cycle, 2025.2 Flamingo, has already started. We will meet virtually in April 7th - 11th at the Project Team Gathering to plan the work for the upcoming cycle. I hope to see you there! Thanks, Előd Illés on behalf of the Release Management team

1 0

[OSSA-2024-005] Neutron: Authorization bypassed when setting tags on Neutron networks (CVE-2024-53916)
by Jay Faulkner 03 Dec '24

03 Dec '24

=========================================================================== OSSA-2024-005: Authorization bypassed when setting tags on Neutron networks =========================================================================== :Date: December 03, 2024 :CVE: CVE-2024-53916 Affects ~~~~~~~ - Neutron: >=23.0.0 <23.2.1, >=24.0.0 <24.0.2, >=25.0.0 <25.0.1 Description ~~~~~~~~~~~ Tore Anderson of Redpill Linpro AS discovered that Neutron does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects which do not belong to the tenant, and this action is not being subjected to the proper policy authorization check. Patches ~~~~~~~ -https://review.opendev.org/c/openstack/neutron/+/936849 (2023.2/bobcat) -https://review.opendev.org/c/openstack/neutron/+/936846 (2024.1/caracal) -https://review.opendev.org/c/openstack/neutron/+/936843 (2024.2/dalmatian) -https://review.opendev.org/c/openstack/neutron/+/935883 (2025.1/epoxy) Credits ~~~~~~~ - Tore Anderson from Redpill Linpro AS (C, V, E, -, 2, 0, 2, 4, -, 5, 3, 9, 1, 6) References ~~~~~~~~~~ -https://launchpad.net/bugs/2088986 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53916 -- Jay Faulkner OpenStack VMT

1 0

[OSSA-2024-004]: OpenStack Ironic fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming
by Jay Faulkner 03 Oct '24

03 Oct '24

==================================================================================================================================== OSSA-2024-004: Ironic fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming ==================================================================================================================================== :Date: October 03, 2024 :CVE: CVE-2024-47211 Affects ~~~~~~~ - Ironic: <21.4.4, >=22.0.0 <23.0.3, >=23.1.0 <24.1.3, >=25.0.0, <26.1.0 Description ~~~~~~~~~~~ Julia Kreger of Red Hat noticed a vulnerability in image validation for Ironic, in which images may not have their checksum validated before conversion, potentially permitting man-in-the-middle attacks modifying image data. Patches ~~~~~~~ -https://review.opendev.org/c/openstack/ironic/+/931300 (2023.1/antelope(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931299 (2023.2/bobcat(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931295 (2024.1/caracal(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931294 (2024.2/dalmatian(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931293 (2025.1/epoxy (ironic)) -https://review.opendev.org/c/openstack/ironic/+/931298 (Bugfix/24.0 (ironic)) -https://review.opendev.org/c/openstack/ironic/+/931297 (Bugfix/25.0 (ironic)) -https://review.opendev.org/c/openstack/ironic/+/931296 (Bugfix/26.0 (ironic)) -https://review.opendev.org/c/openstack/ironic/+/931305 (Unmaintained/victoria(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931304 (Unmaintained/wallaby(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931303 (Unmaintained/xena(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931302 (Unmaintained/yoga(ironic)) -https://review.opendev.org/c/openstack/ironic/+/931301 (Unmaintained/zed(ironic)) Credits ~~~~~~~ - Julia Kreger from Red Hat (CVE-2024-47211) References ~~~~~~~~~~ -https://launchpad.net/bugs/2076289 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47211 Notes ~~~~~ - No other Ironic-adjacent projects, including Ironic-Python-Agent, require patching to resolve this vulnerability. - As usual, we will provide updated releases off maintained branches, but will not create new releases off bugfix or unmaintained branches. -- Jay Faulkner OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html

1 0

OpenStack 2024.2 Dalmatian is officially released!
by Elõd Illés 02 Oct '24

02 Oct '24

Hello OpenStack community, I'm excited to announce the final releases for the components of OpenStack 2024.2 Dalmatian, which conclude the 2024.2 Dalmatian development cycle. You will find a complete list of all components, their latest versions, and links to individual project release notes documents listed on the new release site. https://releases.openstack.org/dalmatian/ Congratulations to all of the teams who have contributed to this release! Our next development cycle, 2025.1 Epoxy, has already started. We will meet virtually in October 21-25, 2024, at the Project Team Gathering to plan the work for the upcoming cycle. I hope to see you there! Thanks, Előd Illés on behalf of the Release Management team

1 0

[all][elections][tc][ptl] 2025.1 Epoxy: Technical Committee & PTL Election Conclusion & Results
by Ian Y. Choi 19 Sep '24

19 Sep '24

Thank you to the electorate, to all those who supported and to all candidates who put their name forward for Technical Committee (TC) & Project Team Lead (PTL) in this election. A healthy, open process breeds trust in our decision making capability. Thank you to all those who make this process possible. 1. Please join me in congratulating the 4 newly elected members of the Technical Committee (TC). Ghanshyam Mann (gmann) Jens Harbott (frickler) Sylvain Bauza (bauzas) Doug Goldstein (cardoe) Full results: https://civs1.civs.us/cgi-bin/results.pl?id=E_079cc0f0dda5010c 2. For the results of the PTL election process, please join me in extending congratulations to the following PTLs: * Adjutant: Dale Smith (dalees) * Barbican: Grzegorz Grasza (xek) * Blazar: Pierre Riteau (priteau) * Cinder: Jon Bernard () * Cloudkitty: Rafael Weingartner () * Cyborg: alex song (songwenping) * Designate: Michael Johnson (johnsom) * Glance: Pranali Deore (pdeore) * Heat: Takashi Kajinami (tkajinam) * Horizon: Tatiana Ovchinnikova (tmazur) * Ironic: Riccardo Pittau (rpittau) * Keystone: Dave Wilde (d34dh0r53) * Kolla: Michal Nasiadka (mnasiadka) * Magnum: Jake Yip (jakeyip) * Manila: Carlos Silva (carloss) * Masakari: sam sue () * Monasca: Hasan Acar () * Neutron: Brian Haley (haleyb) * Nova: Sylvain Bauza (bauzas) * Octavia: Gregory Thiemonge (gthiemonge) * OpenStack Charms: James Page (jamespage) * OpenStack Helm: Vladimir Kozhukalov (kozhukalov) * OpenStackAnsible: Dmitriy Rabotyagov (noonedeadpunk) * OpenStackSDK: Artem Goncharov (gtema) * Puppet OpenStack: Takashi Kajinami (tkajinam) * Quality Assurance: Martin Kopec (kopecmartin) * Rally: Andrey Kurilin (andreykurilin) * Skyline: Wenxiang Wu (wu_wenxiang) * Storlets: Takashi Kajinami (tkajinam) * Sunbeam: Guillaume Boutry (gboutry) * Tacker: Yasufumi Ogawa (yasufum) * Telemetry: Erno Kuvaja (jokke_) * Trove: wu chunyang (wuchunyang) * Venus: Eric Zhang () * Vitrage: Dmitriy Rabotyagov (noonedeadpunk) * Zaqar: Hao Wang (wanghao) * Zun: Hongbin Lu () PTL Election: no election required. For remaining projects (without PTL candidates), TC will work on the appointment. Election process details and results are also available here: https://governance.openstack.org/election/ Thank you to all of the candidates, having a good group of candidates helps engage the community in our democratic process. Thank you to all who voted and who encouraged others to vote. We need to ensure your voice is heard. Thank you for another great round. Thank you, /Ian, an election official

1 0

[OSSA-2024-003] OpenStack Ironic: Unvalidated image data passed to qemu-img (CVE-2024-44082)
by Brian Rosmaita 04 Sep '24

04 Sep '24

======================================================== OSSA-2024-003: Unvalidated image data passed to qemu-img ======================================================== :Date: September 04, 2024 :CVE: CVE-2024-44082 Affects ~~~~~~~ - Ironic: <21.4.3, >=22.0.0 <23.0.2, >=23.1.0 <24.1.2, >=25.0.0 <26.0.1 - Ironic-python-agent: <9.4.2, >=9.5.0 <9.7.1, >=9.8.0 <9.11.1, >=9.12.0 <9.13.1 Description ~~~~~~~~~~~ Dan Smith and Julia Kreger of Red Hat and Jay Faulkner of G-Research noticed a vulnerability in image processing for Ironic, in which a specially crafted image could be used by an authenticated user to exploit undesired behaviors in qemu-img, including possible unauthorized access to potentially sensitive data. Mitigation ---------- The attached patches contain code allowing Ironic and the Ironic-Python-Agent (IPA) to pre-screen images before passing them to qemu-img. You should patch both of them because in some popular deployment configurations, it is possible for images to bypass the Ironic conductor for more efficient image downloads. In situations where it is not possible to patch IPA, there is a new configuration option, ``[conductor]conductor_always_validates_images``. When this option is True, all image downloads are forced to occur through the Ironic conductor, where they are validated. However, this may incur a significant performance hit; hence our recommendation to patch both Ironic and IPA. Patches are available for both Ironic and IPA for all maintained branches, namely, the Dalmatian development branch (current master) through Antelope. For these branches, ``conductor_always_validates_images`` defaults to False. For the unmaintained branches (Zed through Victoria), patches are not available for IPA due to a significant risk of regressions. For these branches, the Ironic patches set ``conductor_always_validates_images`` to True, as this is the only safe way to run Ironic with an un-patched IPA. Cached images ------------- Images in the Ironic image cache should be purged. To purge the cache, stop the Ironic conductor and remove the files in the ``[pxe]/instance_master_path`` directory on that conductor node. Supported image formats ----------------------- A new configuration option, ``[conductor]permitted_image_formats`` controls what image formats will be accepted by Ironic. By default, the allowed formats are 'raw' and 'qcow2', which are the only formats that Ironic is tested with. In previous releases, it was possible to use images of other, unsupported formats with Ironic, but this is now blocked by default due to security issues arising from the image conversion process. It is possible, though not recommended, to expand the list of permitted formats. Alternatively, users requiring the use of an image in an unsupported format can convert the image offline into a supported format before uploading the image to Glance or otherwise making the image available to Ironic. Consult the Ironic documentation for details. Warning ------- As is well-documented, the OpenStack Ironic project does not support the use of ironic-lib for non-Ironic use cases. In its normal supported context, ironic-lib assumes that images have been pre-screened before ironic-lib comes in contact with them. Thus, unsupported use of ironic-lib leaves you vulnerable to the exploit outlined in this OSSA. The Ironic project intends eventually to explicitly remove the vulnerable methods in ironic-lib, but reminds the reader that independent use of ironic-lib is not supported. Bugfix branches --------------- Patches are available for maintained bugfix branches. These patches will be merged to the maintained branches, but no new releases will be triggered from those branches. Patches ~~~~~~~ - https://review.opendev.org/927972 (2023.1/antelope(ironic)) - https://review.opendev.org/927979 (2023.1/antelope(ironic-python-agent)) - https://review.opendev.org/927970 (2023.2/bobcat(ironic)) - https://review.opendev.org/927978 (2023.2/bobcat(ironic-python-agent)) - https://review.opendev.org/927968 (2024.1/caracal(ironic)) - https://review.opendev.org/927976 (2024.1/caracal(ironic-python-agent)) - https://review.opendev.org/927965 (2024.2/dalmatian(ironic)) - https://review.opendev.org/927974 (2024.2/dalmatian(ironic-python-agent)) - https://review.opendev.org/927969 (Bugfix/24.0 (ironic)) - https://review.opendev.org/927967 (Bugfix/25.0 (ironic)) - https://review.opendev.org/927966 (Bugfix/26.0 (ironic)) - https://review.opendev.org/927983 (Bugfix/9.12 (ironic-python-agent)) - https://review.opendev.org/927981 (Bugfix/9.13 (ironic-python-agent)) - https://review.opendev.org/927984 (Bugfix/9.9 (ironic-python-agent)) - https://review.opendev.org/927982 (Unmaintained/victoria(ironic)) - https://review.opendev.org/927980 (Unmaintained/wallaby(ironic)) - https://review.opendev.org/927977 (Unmaintained/xena(ironic)) - https://review.opendev.org/927975 (Unmaintained/yoga(ironic)) - https://review.opendev.org/927973 (Unmaintained/zed(ironic)) Credits ~~~~~~~ - Dan Smith from Red Hat (CVE-2024-44082) - Jay Faulkner from G-Research (CVE-2024-44082) - Julia Kreger from Red Hat (CVE-2024-44082) References ~~~~~~~~~~ - https://launchpad.net/bugs/2071740 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44082 Notes ~~~~~ - For more information about the unadvisability of calling 'qemu-img info' on untrusted images, see CVE-2024-04467. - The ironic unmaintained/* branches will receive no point releases, but patches for them are provided as a courtesy. - The ironic-python-agent unmaintained/* branches will receive no point releases, nor are patches for them available. - The ironic and ironic-python-agent bugfix/* branches will receive no point releases, but patches for them are provided as a courtesy. -- Brian Rosmaita OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html

1 0

[OSSA-2024-002] OpenStack Nova: Incomplete file access fix and regression for QCOW2 backing files and VMDK flat descriptors (CVE-2024-40767)
by Jeremy Stanley 23 Jul '24

23 Jul '24

================================================================== OSSA-2024-002: Incomplete file access fix and regression for QCOW2 backing files and VMDK flat descriptors ================================================================== :Date: July 23, 2024 :CVE: CVE-2024-40767 Affects ~~~~~~~ - Nova: <27.4.1, >=28.0.0 <28.2.1, >=29.0.0 <29.1.1 Description ~~~~~~~~~~~ Arnaud Morin (OVH) reported a vulnerability in Nova. By supplying a raw format image which is actually a specially crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file’s contents from the server resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. Patches ~~~~~~~ - https://review.opendev.org/924734 (2023.1/antelope) - https://review.opendev.org/924733 (2023.2/bobcat) - https://review.opendev.org/924732 (2024.1/caracal) - https://review.opendev.org/924731 (2024.2/dalmatian) Credits ~~~~~~~ - Arnaud Morin from OVH (CVE-2024-40767) References ~~~~~~~~~~ - https://launchpad.net/bugs/2071734 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40767 Notes ~~~~~ - The patches linked above should apply cleanly to the public state of their respective branches at time of disclosure, and depend on some commits which merged after the `OSSA-2024-001 <https://security.openstack.org/ossa/OSSA-2024-001.html>`_ fixes as well as the final states of the Nova changes linked from that advisory (those did see some minor adjustments before they merged). - The QCOW2 issue is due to an incomplete fix in OSSA-2024-001 affecting systems where the ``use_cow_images`` configuration option is disabled, while the VMDK issue is a regression of the earlier `OSSA-2023-002 <https://security.openstack.org/ossa/OSSA-2023-002.html>`_ vulnerability reintroduced by the new implementation in OSSA-2024-001. Both problems were identified in the final hours before OSSA-2024-001 publication but, due to time constraints, were redacted from that bug and moved to a separate report. - Neither the methods introduced in these patches nor the fixes for OSSA-2024-001 are capable of blocking malicious images which are already resident in Nova's cache. At this time we do not have useful operator guidance for identifying and removing such existing images from the cache but strongly caution, if you do attempt to use the qemu-img tool to find them, to make sure you're using a version of it patched for `QEMU CVE-2024-4467 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4467>`_. -- Jeremy Stanley OpenStack Vulnerability Management Team

1 0