osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1742102] Re: Simple user can disable compute


On discussing with Dan Smith, the related denial of service condition
described in this report has been a known risk since the introduction of
the feature and generally falls below the threshold for broad
publication in an advisory. The related fixes merged back as far as
stable/pike will mitigate it (or can be tuned to greater extremes to do
so if necessary) and are accompanied by a security release note. Since
this report is already public, I'm going to mark this as a security
hardening opportunity (class D in our VMT report taxonomy[*]) with no
OSSA task needed. If there is a strong objection that an advisory is
needed, then we can revisit publishing one.

[*] https://security.openstack.org/vmt-process.html#incident-report-
taxonomy

** Information type changed from Public Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1742102

Title:
  Simple user can disable compute

Status in OpenStack Compute (nova):
  In Progress
Status in OpenStack Compute (nova) pike series:
  New
Status in OpenStack Compute (nova) queens series:
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Hi,

  When I tested a fresh deploy of Pike, I created a private network with
  a little subnet like /28. If you try to create a lot of new instances,
  nova failed because which doesn't have free IP for the creation of new
  instances.

  The fail trace is  https://thepasteb.in/p/zmh8qDG2ZYJIZ

  So after that, the trigger consecutive_build_service_disable_threshold
  up to 10 very fast and computes are disable.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1742102/+subscriptions