Your message dated Thu, 21 Aug 2025 08:51:58 +0000
with message-id <[email protected]>
and subject line Bug#1111692: fixed in watcher 14.0.0-3
has caused the Debian Bug report #1111692,
regarding OSSN-0094: Ensuring Volume Safety with Nova and Watcher
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111692: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111692
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nova
Version: 2:31.0.0-6
Severity: important
Tags: patch
This is a copy from the openstack-announce message.
OSSN-0094: Ensuring Volume Safety with Nova and Watcher
== Summary ==
A vulnerability has been identified in OpenStack Nova and OpenStack Watcher
in conjunction with volume swap operations performed by the Watcher service.
Under specific circumstances, this can lead to a situation where two Nova
libvirt instances could reference the same block device, allowing accidental
information disclosure to the unauthorized instance.
== Affected Services / Software ==
Services: Nova,Watcher
Releases: all supported releases
== Discussion ==
The issue occurs when Watcher's zone migration strategy performs the following
sequence of events:
1. Watcher initiates a volume swap using Nova's internal-only volume swap API
2. Watcher initiates a live migration of the same instance
3. In some error cases connection details may have failed to update storage
references. These invalid details are used during the live migration.
=== Required Access ===
The swap volume, live migration and all Watcher APIs are admin only so with
default policy is only possible to create the inconsistent state described in
this OSSN if you have admin rights on the relevant OpenStack project.
=== Further Watcher Hardening ===
The Watcher service, when first created, often implemented its own means
to perform operations. Many of those operations can now be done natively
via other OpenStack services. In the specific context of OSSN-0094,
the ability to migrate Cinder volumes between storage backends is such an
example.
Additionally, the Cinder volume migration in Watcher created a new Keystone
user with the admin role assigned for the instance owners' project and then
used that user to perform API requests on behalf of the project. This code
has been removed.
Finally, due to limited error handling and no validation that the objects
involved were migrated properly, some error scenarios could have led to
a source volume being deleted despite not having been migrated properly.
=== Resolution ===
Nova will now reject any request to swap a volume that has an empty migration
status, effectively restricting the usage of this API to Cinder. This brings
the API validation in line with the documentation.
Watchers internal implementation of swap volume has been deleted and updated
to use Cinder's native volume migration as a replacement. Watcher no longer
creates temporary Keystone users in normal operation.
=== Patches ===
Patches for Nova and Watcher have been backported to all supported stable
branches and committed to master branch.
stable/2025.1:
* Watcher: https://review.opendev.org/c/openstack/watcher/+/957770
* Nova: https://review.opendev.org/c/openstack/nova/+/957759
stable/2024.2:
* Watcher: https://review.opendev.org/c/openstack/watcher/+/957773
* Nova: https://review.opendev.org/c/openstack/nova/+/957762
stable/2024.1:
* Watcher: https://review.opendev.org/c/openstack/watcher/+/957774
* Nova: https://review.opendev.org/c/openstack/nova/+/957764
== Recommended Actions ==
* Operators using Watcher's zone migration strategy should apply the provided
Watcher and Nova patches as soon as possible.
* Operators should refrain from using the swap volume migration action in
Watcher. The compatibility code for swap volume that uses a Cinder-based
migration may be removed in a future API version.
* Operators should audit all users with the admin role and ensure no temporary
Watcher-created users remain.
* Operators using custom policy for volume attachment
(''/servers/{server_id}/os-volume_attachments/{volume_id}'') or live
migration API should review the state of existing instances which have had
volume migrations. Any instance in an inconsistent state can be resolved by
hard rebooting the instance using Nova's API.
== Contacts / References ==
* Author: Sean Mooney <[email protected]>, Jay Faulkner <[email protected]>
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0094
* Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/2112187
* Mailing List : [Security] tag on [email protected]
* OpenStack Security Project : https://launchpad.net/~openstack-ossg
* CVE: None
_______________________________________________
OpenStack-announce mailing list -- [email protected]
--- End Message ---
--- Begin Message ---
Source: watcher
Source-Version: 14.0.0-3
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
watcher, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated watcher package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 21 Aug 2025 10:27:37 +0200
Source: watcher
Architecture: source
Version: 14.0.0-3
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1111692
Changes:
watcher (14.0.0-3) unstable; urgency=high
.
* A vulnerability has been identified in OpenStack Nova and OpenStack Watcher
in conjunction with volume swap operations performed by the Watcher
service. Under specific circumstances, this can lead to a situation where
two Nova libvirt instances could reference the same block device, allowing
accidental information disclosure to the unauthorized instance. Added
upstream patch: OSSN-0094_use_cinder_migrate_for_swap_volume.patch.
(Closes: #1111692).
Checksums-Sha1:
437c0c1f52eb3de663b7854f624ac4d72b4e3fca 3673 watcher_14.0.0-3.dsc
e4731cbed7e96d05f163b6b003a828dcbe7892fe 14984 watcher_14.0.0-3.debian.tar.xz
0af53136317765d24f74e2c1277e7b49cc2a76a9 18263 watcher_14.0.0-3_amd64.buildinfo
Checksums-Sha256:
d6dd298175990e16947091f6ac53f433675b941730a6209abd479974b982d091 3673
watcher_14.0.0-3.dsc
97b47ce519d5ce64226a02a245a3ecd743fe9df2b5a6f4b7665010762c722c1c 14984
watcher_14.0.0-3.debian.tar.xz
687b74196a631155f1ea983e7623fa32f631f01ed5ae23a1b08265fbfc951ee5 18263
watcher_14.0.0-3_amd64.buildinfo
Files:
7d455b1deb6fcfb4c6ea5b098ece4dc4 3673 net optional watcher_14.0.0-3.dsc
12448b9a36f8b814f46b2b3283533bac 14984 net optional
watcher_14.0.0-3.debian.tar.xz
915c5f7f9e48254118d3e6f9d791da5e 18263 net optional
watcher_14.0.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmim2lAACgkQ1BatFaxr
Q/6cdhAAg1ZBt4xia5MtkhkZcu+EllSd5lYGjc8VyDZs4S7ET9mAeAWPVRa8Ymnj
fz3N9N+ScsFFuEbJfgrIjJG6TR3a9Qlt8RQ4IDA72pQjbAX/y0jl5vSAO9s6FITO
U9jZofvHspe43EudcHAG6e21pz3VBxElz4viO4XbrPzX9iUPlYPbathX2UCexHi4
HJUeOGZ+0+mHgkYSWmnC9VXCVUx7PWKxKfUsbJxhA98BEFjwqeALeHKZDfwUSOUM
IjcTK/senbfxqySxZ7/QEe4SFR148NN1npE4sJaCK2y2bmpgFpWH9ksX0RziNGmr
Foics2Wwj4BKKgO9r/S9bL6YRH3w8W2sWb/ux1O3FbqsLn6ralf5kTYGwTWanOBB
JsOWC2Xp8dL5j3dd5ItJPUvPHqy6e3A8O1s+UEkby/RsXvPb6MhCpSV2Rg4s3zQr
9ZRqSDyKQNAtDVyR1BLDMr/6fWT+YekakfbXiFBB5TNVRq+/b2HPBWiNmP/NoMXH
kx7L15n2VvkbA3dfaNYqVSOI9pb3x40FwlBsE40yoUEI+H9nI/ULsZdyX/q0h9oD
h+9yGyLEExPFf6COgJ+TX0uzsaFDmp7GIylrZE/6wdVbiXY3M8UhgwVuYlcs3dRy
kp5vSfpjtdkRspli0VXepUY1HBvc+CabHeJQ7+eKI0q4Q9NODDo=
=JE/C
-----END PGP SIGNATURE-----
pgpftziowcuJh.pgp
Description: PGP signature
--- End Message ---
