Matt: Please proceed with 521186 and its associated backports; we'll send announcements with the OSSA-2017-005/CVE-2017-16239 errata once those merge. As for 521662 I'd like to include (a link to) the stable/pike backport in a pre-OSSA once it's ready. Assuming we have a viable backport for this bug within the next couple days, I'd like to propose 15:00 UTC on Tuesday, December 5 as the disclosure date/time.
Here's my proposed impact description for this bug (which I'll use to request a new CVE for the denial of service vulnerability if accurate):
Title: Nova ResourceTracker misses rebuilt resources with new images
Reporter: Matt Riedemann (Huawei)
Products: Nova
Affects: 16.0.3
Description:
Matt Riedemann from Huawei reported a vulnerability in OpenStack Nova's default FilterScheduler. By repeatedly rebuilding an instance with new images, an authenticated user may consume untracked resources on a hypervisor host leading to a denial of service. This regression was introduced with the fix for OSSA-2017-005 (CVE-2017-16239), so only Nova stable/pike or later deployments with that fix applied and relying on the default FilterScheduler are affected.
Matt: Please proceed with 521186 and its associated backports; we'll send announcements with the OSSA-2017- 005/CVE- 2017-16239 errata once those merge. As for 521662 I'd like to include (a link to) the stable/pike backport in a pre-OSSA once it's ready. Assuming we have a viable backport for this bug within the next couple days, I'd like to propose 15:00 UTC on Tuesday, December 5 as the disclosure date/time.
Here's my proposed impact description for this bug (which I'll use to request a new CVE for the denial of service vulnerability if accurate):
Title: Nova ResourceTracker misses rebuilt resources with new images
Reporter: Matt Riedemann (Huawei)
Products: Nova
Affects: 16.0.3
Description:
Matt Riedemann from Huawei reported a vulnerability in OpenStack Nova's default FilterScheduler. By repeatedly rebuilding an instance with new images, an authenticated user may consume untracked resources on a hypervisor host leading to a denial of service. This regression was introduced with the fix for OSSA-2017-005 (CVE-2017-16239), so only Nova stable/pike or later deployments with that fix applied and relying on the default FilterScheduler are affected.