Bugzilla – Bug 1070500
VUL-0: CVE-2017-17051: openstack-nova: Nova FilterScheduler doubles resource allocations during rebuild with new image
Last modified: 2020-04-30 15:46:36 UTC
CVE-2017-17051 CRD: 2017-12-05 This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Title: Nova FilterScheduler doubles resource allocations during rebuild with new image Reporter: Matt Riedemann (Huawei) Products: Nova Affects: 16.0.3 Description: Matt Riedemann from Huawei reported a vulnerability in OpenStack Nova's default FilterScheduler. By repeatedly rebuilding an instance with new images, an authenticated user may consume untracked resources on a hypervisor host leading to a denial of service. This regression was introduced with the fix for OSSA-2017-005 (CVE-2017-16239), however, only Nova stable/pike or later deployments with that fix applied and relying on the default FilterScheduler are affected. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to their corresponding branches on the public disclosure date. Note they are also posted publicly in our code review system, with no mention (yet) of addressing a security vulnerability... https://review.openstack.org/521662 (master branch) https://review.openstack.org/523214 (stable/pike branch) CVE: CVE-2017-17051 Proposed public disclosure date/time: Tuesday, December 5, 2017, 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date. Original private report: https://launchpad.net/bugs/1732976 For access to read and comment on this report, please reply to me with your Launchpad username and I will subscribe you. -- Jeremy Stanley OpenStack Vulnerability Management Team References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17051
Created attachment 750736 [details] cve-2017-17051-master-queens.patch cve-2017-17051-master-queens.patch
Created attachment 750737 [details] cve-2017-17051-stable-pike.patch cve-2017-17051-stable-pike.patch
public
This was fixed in December 2017 in Cloud8 and is also fixed in Cloud9. Backport to Cloud7 still missing.
According to the description, SOC7 (Newton based which was before Pike) is not affected: """ ...only Nova stable/pike or later deployments with that fix applied and relying on the default FilterScheduler are affected. """ @security team: Are you ok with closing this as fixed?
SUSE-SU-2019:2219-1: An update that solves three vulnerabilities and has 27 fixes is now available. Category: security (moderate) Bug References: 1070500,1108818,1118159,1120657,1122053,1122825,1124170,1128382,1128453,1128783,1129729,1132654,1132852,1133719,1134495,1134589,1136569,1137377,1137817,1138124,1138187,1138489,1138967,1139750,1140512,1140663,1142032,1142521,1142686,1143310 CVE References: CVE-2015-3448,CVE-2017-17051,CVE-2019-9735 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-4.15.1, crowbar-core-5.0+git.1565280360.01fed6905-3.26.1, crowbar-ha-5.0+git.1562069707.e2de18c-3.20.1, crowbar-openstack-5.0+git.1565270683.ea6e63d87-4.28.1, crowbar-ui-1.2.0+git.1563181545.65360af5-3.9.1, documentation-suse-openstack-cloud-deployment-8.20190805-1.20.1, documentation-suse-openstack-cloud-supplement-8.20190805-1.20.1, documentation-suse-openstack-cloud-upstream-admin-8.20190805-1.20.1, documentation-suse-openstack-cloud-upstream-user-8.20190805-1.20.1, galera-python-clustercheck-0.0+git.1562242499.36b8b64-4.6.1, openstack-cinder-11.2.3~dev7-3.18.2, openstack-cinder-doc-11.2.3~dev7-3.18.1, openstack-glance-15.0.3~dev2-3.9.2, openstack-glance-doc-15.0.3~dev2-3.9.1, openstack-heat-9.0.8~dev11-3.21.2, openstack-heat-doc-9.0.8~dev11-3.21.1, openstack-horizon-plugin-monasca-ui-1.8.1~dev39-3.9.2, openstack-horizon-plugin-neutron-fwaas-ui-1.0.1~dev9-4.6.2, openstack-ironic-9.1.8~dev7-3.21.2, openstack-ironic-doc-9.1.8~dev7-3.21.1, openstack-keystone-12.0.4~dev2-5.22.2, openstack-keystone-doc-12.0.4~dev2-5.22.1, openstack-manila-5.1.1~dev2-3.18.2, openstack-manila-doc-5.1.1~dev2-3.18.1, openstack-monasca-agent-2.2.5~dev5-3.12.1, openstack-monasca-api-2.2.2~dev1-3.15.2, openstack-monasca-persister-1.7.1~dev10-3.9.1, openstack-monasca-persister-java-1.7.1~a0~dev2-3.3.1, openstack-murano-4.0.2~dev2-3.9.2, openstack-murano-doc-4.0.2~dev2-3.9.1, openstack-neutron-11.0.9~dev42-3.21.2, openstack-neutron-doc-11.0.9~dev42-3.21.1, openstack-neutron-gbp-7.3.1~dev45-3.6.1, openstack-neutron-lbaas-11.0.4~dev6-3.12.1, openstack-neutron-lbaas-doc-11.0.4~dev6-3.12.1, openstack-nova-16.1.9~dev4-3.26.2, openstack-nova-doc-16.1.9~dev4-3.26.1, openstack-octavia-1.0.6~dev2-4.18.1, python-oslo.db-4.25.2-3.6.1, python-osprofiler-1.11.1-3.3.1 SUSE OpenStack Cloud 8 (src): ardana-ansible-8.0+git.1560208949.67048e3-3.64.1, ardana-db-8.0+git.1564410318.f0cca2c-3.28.1, ardana-freezer-8.0+git.1564164977.ef9baeb-3.18.1, ardana-glance-8.0+git.1564491709.349d78e-3.14.1, ardana-input-model-8.0+git.1562848601.c3daff0-3.30.1, ardana-nova-8.0+git.1565388406.c6abb8d-3.32.1, ardana-osconfig-8.0+git.1563383198.c7fd9b4-3.39.1, ardana-tempest-8.0+git.1562849010.73bc517-3.24.1, caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-4.15.1, documentation-suse-openstack-cloud-installation-8.20190805-1.20.1, documentation-suse-openstack-cloud-operations-8.20190805-1.20.1, documentation-suse-openstack-cloud-opsconsole-8.20190805-1.20.1, documentation-suse-openstack-cloud-planning-8.20190805-1.20.1, documentation-suse-openstack-cloud-security-8.20190805-1.20.1, documentation-suse-openstack-cloud-supplement-8.20190805-1.20.1, documentation-suse-openstack-cloud-upstream-admin-8.20190805-1.20.1, documentation-suse-openstack-cloud-upstream-user-8.20190805-1.20.1, documentation-suse-openstack-cloud-user-8.20190805-1.20.1, galera-python-clustercheck-0.0+git.1562242499.36b8b64-4.6.1, openstack-cinder-11.2.3~dev7-3.18.2, openstack-cinder-doc-11.2.3~dev7-3.18.1, openstack-glance-15.0.3~dev2-3.9.2, openstack-glance-doc-15.0.3~dev2-3.9.1, openstack-heat-9.0.8~dev11-3.21.2, openstack-heat-doc-9.0.8~dev11-3.21.1, openstack-horizon-plugin-monasca-ui-1.8.1~dev39-3.9.2, openstack-horizon-plugin-neutron-fwaas-ui-1.0.1~dev9-4.6.2, openstack-ironic-9.1.8~dev7-3.21.2, openstack-ironic-doc-9.1.8~dev7-3.21.1, openstack-keystone-12.0.4~dev2-5.22.2, openstack-keystone-doc-12.0.4~dev2-5.22.1, openstack-manila-5.1.1~dev2-3.18.2, openstack-manila-doc-5.1.1~dev2-3.18.1, openstack-monasca-agent-2.2.5~dev5-3.12.1, openstack-monasca-api-2.2.2~dev1-3.15.2, openstack-monasca-persister-1.7.1~dev10-3.9.1, openstack-monasca-persister-java-1.7.1~a0~dev2-3.3.1, openstack-murano-4.0.2~dev2-3.9.2, openstack-murano-doc-4.0.2~dev2-3.9.1, openstack-neutron-11.0.9~dev42-3.21.2, openstack-neutron-doc-11.0.9~dev42-3.21.1, openstack-neutron-gbp-7.3.1~dev45-3.6.1, openstack-neutron-lbaas-11.0.4~dev6-3.12.1, openstack-neutron-lbaas-doc-11.0.4~dev6-3.12.1, openstack-nova-16.1.9~dev4-3.26.2, openstack-nova-doc-16.1.9~dev4-3.26.1, openstack-octavia-1.0.6~dev2-4.18.1, python-Beaver-8.0+git.1502900605.3e0068a-4.3.1, python-oslo.db-4.25.2-3.6.1, python-osprofiler-1.11.1-3.3.1, python-swiftlm-8.0+git.1541434883.e0ebe69-5.9.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.18.1, venv-openstack-monasca-2.2.2~dev1-11.16.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.14.1, venv-openstack-murano-4.0.2~dev2-12.14.1, venv-openstack-neutron-11.0.9~dev42-13.22.1 HPE Helion Openstack 8 (src): ardana-ansible-8.0+git.1560208949.67048e3-3.64.1, ardana-db-8.0+git.1564410318.f0cca2c-3.28.1, ardana-freezer-8.0+git.1564164977.ef9baeb-3.18.1, ardana-glance-8.0+git.1564491709.349d78e-3.14.1, ardana-input-model-8.0+git.1562848601.c3daff0-3.30.1, ardana-nova-8.0+git.1565388406.c6abb8d-3.32.1, ardana-osconfig-8.0+git.1563383198.c7fd9b4-3.39.1, ardana-tempest-8.0+git.1562849010.73bc517-3.24.1, caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-4.15.1, documentation-hpe-helion-openstack-installation-8.20190805-1.20.1, documentation-hpe-helion-openstack-operations-8.20190805-1.20.1, documentation-hpe-helion-openstack-opsconsole-8.20190805-1.20.1, documentation-hpe-helion-openstack-planning-8.20190805-1.20.1, documentation-hpe-helion-openstack-security-8.20190805-1.20.1, documentation-hpe-helion-openstack-user-8.20190805-1.20.1, galera-python-clustercheck-0.0+git.1562242499.36b8b64-4.6.1, openstack-cinder-11.2.3~dev7-3.18.2, openstack-cinder-doc-11.2.3~dev7-3.18.1, openstack-glance-15.0.3~dev2-3.9.2, openstack-glance-doc-15.0.3~dev2-3.9.1, openstack-heat-9.0.8~dev11-3.21.2, openstack-heat-doc-9.0.8~dev11-3.21.1, openstack-horizon-plugin-monasca-ui-1.8.1~dev39-3.9.2, openstack-horizon-plugin-neutron-fwaas-ui-1.0.1~dev9-4.6.2, openstack-ironic-9.1.8~dev7-3.21.2, openstack-ironic-doc-9.1.8~dev7-3.21.1, openstack-keystone-12.0.4~dev2-5.22.2, openstack-keystone-doc-12.0.4~dev2-5.22.1, openstack-manila-5.1.1~dev2-3.18.2, openstack-manila-doc-5.1.1~dev2-3.18.1, openstack-monasca-agent-2.2.5~dev5-3.12.1, openstack-monasca-api-2.2.2~dev1-3.15.2, openstack-monasca-persister-1.7.1~dev10-3.9.1, openstack-monasca-persister-java-1.7.1~a0~dev2-3.3.1, openstack-murano-4.0.2~dev2-3.9.2, openstack-murano-doc-4.0.2~dev2-3.9.1, openstack-neutron-11.0.9~dev42-3.21.2, openstack-neutron-doc-11.0.9~dev42-3.21.1, openstack-neutron-gbp-7.3.1~dev45-3.6.1, openstack-neutron-lbaas-11.0.4~dev6-3.12.1, openstack-neutron-lbaas-doc-11.0.4~dev6-3.12.1, openstack-nova-16.1.9~dev4-3.26.2, openstack-nova-doc-16.1.9~dev4-3.26.1, openstack-octavia-1.0.6~dev2-4.18.1, python-Beaver-8.0+git.1502900605.3e0068a-4.3.1, python-oslo.db-4.25.2-3.6.1, python-osprofiler-1.11.1-3.3.1, python-swiftlm-8.0+git.1541434883.e0ebe69-5.9.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.18.1, venv-openstack-monasca-2.2.2~dev1-11.16.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.14.1, venv-openstack-murano-4.0.2~dev2-12.14.1, venv-openstack-neutron-11.0.9~dev42-13.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done