[OSSA 2015-015] Resize/delete combo allows to overload nova-compute (CVE-2015-3241)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Abhishek Kekane | ||
Juno |
Fix Released
|
Undecided
|
Abhishek Kekane | ||
Kilo |
Fix Released
|
Undecided
|
Abhishek Kekane | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Tristan Cacqueray |
Bug Description
If user create instance, and resize it to larger flavor and than delete that instance, migration process does not stop. This allow user to repeat operation many times, causing overload to affected compute nodes over user quota.
Affected installation: most drastic effect happens on 'raw-disk' instances without live migration. Whole raw disk (full size of the flavor) is copied during migration.
If user delete instance it does not terminate rsync/scp keeping disk backing file opened regardless of removal by nova compute.
Because rsync/scp of large disks is rather slow, it gives malicious user enough time to repeat that operation few hundred times, causing disk space depletion on compute nodes, huge impact on management network and so on.
Proposed solution: abort migration (kill rsync/scp) as soon, as instance is deleted.
Affected installation: Havana, Icehouse, probably Juno (not tested).
CVE References
description: | updated |
Changed in nova: | |
assignee: | nobody → Michael Still (mikalstill) |
Changed in nova: | |
assignee: | Michael Still (mikalstill) → Tony Breeds (o-tony) |
summary: |
- Resize/delete combo allows to overload nova-compute + Resize/delete combo allows to overload nova-compute (CVE-2015-3241) |
information type: | Private Security → Public Security |
Changed in nova: | |
assignee: | Tony Breeds (o-tony) → Abhishek Kekane (abhishek-kekane) |
status: | Confirmed → In Progress |
Changed in nova: | |
assignee: | Abhishek Kekane (abhishek-kekane) → Michael Still (mikalstill) |
Changed in nova: | |
assignee: | Michael Still (mikalstill) → Abhishek Kekane (abhishek-kekane) |
Changed in nova: | |
assignee: | Nikola Đipanov (ndipanov) → Abhishek Kekane (abhishek-kekane) |
tags: | added: juno-backport-potential |
summary: |
- Resize/delete combo allows to overload nova-compute (CVE-2015-3241) + [OSSA 2015-015] Resize/delete combo allows to overload nova-compute + (CVE-2015-3241) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | none → liberty-3 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | liberty-3 → 12.0.0 |
Thanks for the report! The OSSA tasks is set to incomplete pending project core security review.
At first glance, it's seems a valid DoS avenue...