CVE-2017-17051
Published: 5 December 2017
An issue was discovered in the default FilterScheduler in OpenStack Nova 16.0.3. By repeatedly rebuilding an instance with new images, an authenticated user may consume untracked resources on a hypervisor host leading to a denial of service, aka doubled resource allocations. This regression was introduced with the fix for OSSA-2017-005 (CVE-2017-16239); however, only Nova stable/pike or later deployments with that fix applied and relying on the default FilterScheduler are affected.
Notes
Author | Note |
---|---|
mdeslaur | only affects pike and later |
Priority
Status
Package | Release | Status |
---|---|---|
nova Launchpad, Ubuntu, Debian |
artful |
Released
(2:16.1.2-0ubuntu1)
|
bionic |
Not vulnerable
(2:17.0.0~rc2-0ubuntu1)
|
|
trusty |
Does not exist
(trusty was not-affected [code not present])
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(code not present)
|
|
zesty |
Ignored
(end of life)
|
|
Patches: upstream: https://review.openstack.org/521662 (queens) upstream: https://review.openstack.org/523214 (pike) |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.6 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Changed |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |