Vulnerabilities > CVE-2017-16239 - Unspecified vulnerability in Openstack Nova

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

openstack

nessus

NVD

Published: 2017-11-14

Updated: 2019-10-03

Summary

In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x through 16.0.2, by rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter). All setups using Nova Filter Scheduler are affected. Because of the regression described in Launchpad Bug #1732947, the preferred fix is a 14.x version after 14.0.10, a 15.x version after 15.0.8, or a 16.x version after 16.0.3.

Vulnerable Configurations

Part	Description	Count
Application	Openstack Openstack Nova 15.0.0 Openstack Nova 15.0.1 Openstack Nova 16.0.0 Openstack Nova 16.0.1 Openstack Nova 16.0.2 Openstack Nova 15.0.7 Openstack Nova 15.0.6 Openstack Nova 15.0.5 Openstack Nova 15.0.4 Openstack Nova 15.0.3 Openstack Nova 15.0.2 Openstack Nova - Openstack Nova 0.9.0 Openstack Nova 12.0.0 Openstack Nova 12.0.1 Openstack Nova 12.0.2 Openstack Nova 12.0.3 Openstack Nova 12.0.4 Openstack Nova 12.0.5 Openstack Nova 12.0.6 Openstack Nova 13.0.0 Openstack Nova 13.1.0 Openstack Nova 13.1.1 Openstack Nova 13.1.2 Openstack Nova 13.1.3 Openstack Nova 13.1.4 Openstack Nova 14.0.0 Openstack Nova 14.0.1 Openstack Nova 14.0.2 Openstack Nova 14.0.3 Openstack Nova 14.0.4 Openstack Nova 14.0.5 Openstack Nova 14.0.6 Openstack Nova 14.0.7 Openstack Nova 14.0.8 Openstack Nova 14.0.9	54

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-4056.NASL
description	George Shuklin from servers.com discovered that Nova, a cloud computing fabric controller, did not correctly enforce its image- or hosts-filters. This allowed an authenticated user to bypass those filters by simply rebuilding an instance.
last seen	2020-06-01
modified	2020-06-02
plugin id	105088
published	2017-12-08
reporter	This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105088
title	Debian DSA-4056-1 : nova - security update
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4056. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(105088); script_version("3.4"); script_cvs_date("Date: 2018/11/13 12:30:46"); script_cve_id("CVE-2017-16239"); script_xref(name:"DSA", value:"4056"); script_name(english:"Debian DSA-4056-1 : nova - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "George Shuklin from servers.com discovered that Nova, a cloud computing fabric controller, did not correctly enforce its image- or hosts-filters. This allowed an authenticated user to bypass those filters by simply rebuilding an instance." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882009" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/nova" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/nova" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2017/dsa-4056" ); script_set_attribute( attribute:"solution", value: "Upgrade the nova packages. For the stable distribution (stretch), this problem has been fixed in version 2:14.0.0-4+deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nova"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"9.0", prefix:"nova-api", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-cells", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-cert", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-common", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-compute", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-compute-ironic", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-compute-kvm", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-compute-lxc", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-compute-qemu", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-conductor", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-console", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-consoleauth", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-consoleproxy", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-doc", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-network", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-placement-api", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-scheduler", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"nova-volume", reference:"2:14.0.0-4+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"python-nova", reference:"2:14.0.0-4+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

Redhat

advisories

rhsa
id RHSA-2018:0241
rhsa
id RHSA-2018:0314
rhsa
id RHSA-2018:0369

rpms

openstack-nova-1:16.0.2-9.el7ost
openstack-nova-api-1:16.0.2-9.el7ost
openstack-nova-cells-1:16.0.2-9.el7ost
openstack-nova-common-1:16.0.2-9.el7ost
openstack-nova-compute-1:16.0.2-9.el7ost
openstack-nova-conductor-1:16.0.2-9.el7ost
openstack-nova-console-1:16.0.2-9.el7ost
openstack-nova-migration-1:16.0.2-9.el7ost
openstack-nova-network-1:16.0.2-9.el7ost
openstack-nova-novncproxy-1:16.0.2-9.el7ost
openstack-nova-placement-api-1:16.0.2-9.el7ost
openstack-nova-scheduler-1:16.0.2-9.el7ost
openstack-nova-serialproxy-1:16.0.2-9.el7ost
openstack-nova-spicehtml5proxy-1:16.0.2-9.el7ost
python-nova-1:16.0.2-9.el7ost
python-nova-tests-1:16.0.2-9.el7ost
openstack-nova-1:15.0.8-5.el7ost
openstack-nova-api-1:15.0.8-5.el7ost
openstack-nova-cells-1:15.0.8-5.el7ost
openstack-nova-cert-1:15.0.8-5.el7ost
openstack-nova-common-1:15.0.8-5.el7ost
openstack-nova-compute-1:15.0.8-5.el7ost
openstack-nova-conductor-1:15.0.8-5.el7ost
openstack-nova-console-1:15.0.8-5.el7ost
openstack-nova-migration-1:15.0.8-5.el7ost
openstack-nova-network-1:15.0.8-5.el7ost
openstack-nova-novncproxy-1:15.0.8-5.el7ost
openstack-nova-placement-api-1:15.0.8-5.el7ost
openstack-nova-scheduler-1:15.0.8-5.el7ost
openstack-nova-serialproxy-1:15.0.8-5.el7ost
openstack-nova-spicehtml5proxy-1:15.0.8-5.el7ost
python-nova-1:15.0.8-5.el7ost
python-nova-tests-1:15.0.8-5.el7ost
openstack-nova-1:14.1.0-3.el7ost
openstack-nova-api-1:14.1.0-3.el7ost
openstack-nova-cells-1:14.1.0-3.el7ost
openstack-nova-cert-1:14.1.0-3.el7ost
openstack-nova-common-1:14.1.0-3.el7ost
openstack-nova-compute-1:14.1.0-3.el7ost
openstack-nova-conductor-1:14.1.0-3.el7ost
openstack-nova-console-1:14.1.0-3.el7ost
openstack-nova-migration-1:14.1.0-3.el7ost
openstack-nova-network-1:14.1.0-3.el7ost
openstack-nova-novncproxy-1:14.1.0-3.el7ost
openstack-nova-placement-api-1:14.1.0-3.el7ost
openstack-nova-scheduler-1:14.1.0-3.el7ost
openstack-nova-serialproxy-1:14.1.0-3.el7ost
openstack-nova-spicehtml5proxy-1:14.1.0-3.el7ost
python-nova-1:14.1.0-3.el7ost
python-nova-tests-1:14.1.0-3.el7ost
python-novaclient-1:6.0.2-2.el7ost

Summary

Vulnerable Configurations

Nessus

Redhat

References