Comment 10 for bug 1732976

Revision history for this message
Matt Riedemann (mriedem) wrote : Re: Potential DoS by rebuilding the same instance with a new image multiple times

Between Dan and myself we have fixes for the issues pointed out in this bug and the etherpad:

https://etherpad.openstack.org/p/nova-rebuild-issues

1. https://review.openstack.org/#/c/521186/ - maintains the fix for the original CVE-2017-16239 and also fixes a regression introduced in the original fix where rebuilds can fail based on the scheduler filters that are run, e.g. the ComputeFilter will fail a rebuild if the instance is running on a disabled compute, or the CoreFilter can fail if the rebuild is on a host that is at capacity for vcpu usage. This fix will need to be backported through to stable/newton upstream and it supersedes the original fix for CVE-2017-16239.

2. https://review.openstack.org/#/c/521662/ - fixes the doubling allocations issue in Placement which is the potential DoS pointed out in *this* bug. I haven't linked the bug or added a release note to it, but this is potentially a new CVE, or an errata on the original (I'm not sure about the process here). This fix gets backported through to stable/pike upstream.

3. https://review.openstack.org/#/c/521391/ - fixes a regression introduced with the original fix for CVE-2017-16239 where all volume-backed instances are run through the scheduler during a rebuild, regardless of the image changing. This will need to be backported through to stable/newton upstream. This is more or less a companion to the fix in #1.

--

At this point, what do we do to move forward? Do we need to create a new CVE for #2? Or do these all just get lumped in as errata on the original CVE?