Your message dated Fri, 12 May 2023 07:34:48 +0000
with message-id <e1pxnie-00d9rj...@fasolo.debian.org>
and subject line Bug#1035978: fixed in python-glance-store 4.1.0-4
has caused the Debian Bug report #1035978,
regarding CVE-2023-2088: Unauthorized volume access through deleted volume
attachments
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1035978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035978
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python3-glance-store
Version: 4.3.0-1
Severity: grave
Tags: patch
============================================================================
OSSA-2023-003: Unauthorized volume access through deleted volume attachments
============================================================================
:Date: May 10, 2023
:CVE: CVE-2023-2088
Affects
~~~~~~~
- Cinder: <20.2.1, >=21.0.0 <21.2.1, ==22.0.0
- Glance_store: <3.0.1, >=4.0.0 <4.1.1, >=4.2.0 <4.3.1
- Nova: <25.1.2, >=26.0.0 <26.1.2, ==27.0.0
- Os-brick: <5.2.3, >=6.0.0 <6.1.1, >=6.2.0 <6.2.2
Description
~~~~~~~~~~~
An unauthorized access to a volume could occur when an iSCSI or FC
connection from a host is severed due to a volume being unmapped on
the storage system and the device is later reused for another volume
on the same host.
**Scope:** Only deployments with iSCSI or FC volumes are affected.
However, the fix for this issue includes a configuration change in
Nova and Cinder that may impact you on your next upgrade regardless
of what backend storage technology you use. See the *Configuration
change* section below, and item 4(B) in the *Patches and Associated
Deployment Changes* for details.
This data leak can be triggered by two different situations.
**Accidental case:** If there is a problem with network connectivity
during a normal detach operation, OpenStack may fail to clean the
situation up properly. Instead of force-detaching the compute node
device, Nova ignores the error, assuming the instance has already
been deleted. Due to this incomplete operation OpenStack may end up
selecting the wrong multipath device when connecting another volume
to an instance.
**Intentional case:** A regular user can create an instance with a
volume, and then delete the volume attachment directly in Cinder,
which neglects to notify Nova. The compute node SCSI plumbing (over
iSCSI/FC) will continue trying to connect to the original
host/port/LUN, not knowing the attachment has been deleted. If a
subsequent volume attachment re-uses the host/port/LUN for a
different instance and volume, the original instance will gain
access to it once the SCSI plumbing reconnects.
Configuration Change
--------------------
To prevent the intentional case, the Block Storage API provided by
Cinder must only accept attachment delete requests from Nova for
instance-attached volumes. A complicating factor is that Nova
deletes an attachment by making a call to the Block Storage API on
behalf of the user (that is, by passing the user's token), which
makes the request indistinguishable from the user making this
request directly. The solution is to have Nova include a service
token along with the user's token so that Cinder can determine that
the detach request is coming from Nova. The ability for Nova to pass
a service token has been supported since Ocata, but has not been
required until now. Thus, deployments that are not currently sending
service user credentials from Nova will need to apply the relevant
code changes and also make configuration changes to solve the
problem.
Patches and Associated Deployment Changes
-----------------------------------------
Given the above analysis, a thorough fix must include the following
elements:
1. The os-brick library must implement the ``force`` option for
fibre channel, which which has only been available for iSCSI
until now (covered by the linked patches).
2. Nova must call os-brick with the ``force`` option when
disconnecting volumes from deleted instances (covered by the
linked patches).
3. In deployments where Glance uses the cinder glance_store driver,
glance must call os-brick with the ``force`` option when
disconnecting volumes (covered by the linked patches).
4. Cinder must distinguish between safe and unsafe attachment delete
requests and reject the unsafe ones. This part of the fix has two
components:
a. The Block Storage API will return a 409 (Conflict) for a
request to delete an attachment if there is an instance
currently using the attachment, **unless** the request is
being made by a service (for example, Nova) on behalf of a
user (covered by the linked patches).
b. In order to recognize that a request is being made by a
service on behalf of a user, Nova must be configured to send a
service token along with the user token. If this configuration
change is not made, the cinder change will reject **any**
request to delete an attachment associated with a volume that
is attached to an instance. Nova must be configured to send a
service token to Cinder, and Cinder must be configured to
accept service tokens. This is described in the following
document and **IS NOT AUTOMATICALLY APPLIED BY THE LINKED
PATCHES:** (Using service tokens to prevent long-running job
failures)
https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html
The Nova patch mentioned in step 2 includes a similar document
more focused on Nova:
doc/source/admin/configuration/service-user-token.rst
5. The cinder glance_store driver does not attach volumes to
instances; instead, it attaches volumes directly to the Glance
node. Thus, the Cinder change in step 4 will recognize an
attachment-delete request coming from Glance as safe and allow
it. (Of course, we expect that you will have applied the patches
in steps 1 and 3 to your Glance nodes.)
Errata
~~~~~~
An additional nova patch is required to fix a minor regression in periodic
tasks and some nova-manage actions (errata 1). Also a patch to tempest is
needed to account for behavior changes with fixes in place (errata 2).
Patches
~~~~~~~
- https://review.opendev.org/882836 (2023.1/antelope cinder)
- https://review.opendev.org/882851 (2023.1/antelope glance_store)
- https://review.opendev.org/882858 (2023.1/antelope nova)
- https://review.opendev.org/882859 (2023.1/antelope nova errata 1)
- https://review.opendev.org/882843 (2023.1/antelope os-brick)
- https://review.opendev.org/882835 (2023.2/bobcat cinder)
- https://review.opendev.org/882834 (2023.2/bobcat glance_store)
- https://review.opendev.org/882847 (2023.2/bobcat nova)
- https://review.opendev.org/882852 (2023.2/bobcat nova errata 1)
- https://review.opendev.org/882840 (2023.2/bobcat os-brick)
- https://review.opendev.org/882876 (2023.2/bobcat tempest errata 2)
- https://review.opendev.org/882869 (Wallaby nova)
- https://review.opendev.org/882870 (Wallaby nova errata 1)
- https://review.opendev.org/882839 (Xena cinder)
- https://review.opendev.org/882855 (Xena glance_store)
- https://review.opendev.org/882867 (Xena nova)
- https://review.opendev.org/882868 (Xena nova errata 1)
- https://review.opendev.org/882848 (Xena os-brick)
- https://review.opendev.org/882838 (Yoga cinder)
- https://review.opendev.org/882854 (Yoga glance_store)
- https://review.opendev.org/882863 (Yoga nova)
- https://review.opendev.org/882864 (Yoga nova errata 1)
- https://review.opendev.org/882846 (Yoga os-brick)
- https://review.opendev.org/882837 (Zed cinder)
- https://review.opendev.org/882853 (Zed glance_store)
- https://review.opendev.org/882860 (Zed nova)
- https://review.opendev.org/882861 (Zed nova errata 1)
- https://review.opendev.org/882844 (Zed os-brick)
Credits
~~~~~~~
- Jan Wasilewski from Atman (CVE-2023-2088)
- Gorka Eguileor from Red Hat (CVE-2023-2088)
References
~~~~~~~~~~
- https://launchpad.net/bugs/2004555
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2088
Notes
~~~~~
- Limited Protection Against Accidents... If you are only concerned with
protecting against the accidental case described earlier in this document,
steps 1-3 above should be sufficient. Note, however, that only applying steps
1-3 leaves your cloud wide open to the intentional exploitation of this
vulnerability. Therefore, we recommend that the full fix be applied to all
deployments.
- Using Configuration as a Short-Term Mitigation... An alternative approach to
mitigation can be found in OSSN-0092
https://wiki.openstack.org/wiki/OSSN/OSSN-0092
- The stable/xena and stable/wallaby branches are under extended maintenance
and will receive no new point releases, but patches for them are provided as
a courtesy where available.
--- End Message ---
--- Begin Message ---
Source: python-glance-store
Source-Version: 4.1.0-4
Done: Thomas Goirand <z...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-glance-store, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1035...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated python-glance-store
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 12 May 2023 08:52:34 +0200
Source: python-glance-store
Architecture: source
Version: 4.1.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <team+openst...@tracker.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Closes: 1035978
Changes:
python-glance-store (4.1.0-4) unstable; urgency=medium
.
* CVE-2023-2088: Unauthorized volume access through deleted volume
attachments. Applied upstream patch: Add force to os-brick disconnect.
(Closes: #1035978).
Checksums-Sha1:
2e5871e3b819f4dfe196f00e04f1c86b2fef2e4c 3240 python-glance-store_4.1.0-4.dsc
7b00803aceafac3833baa9e77199d134e80d31c4 8260
python-glance-store_4.1.0-4.debian.tar.xz
f60df206a55adc0ed575b960bd84fc547c1897f5 13777
python-glance-store_4.1.0-4_amd64.buildinfo
Checksums-Sha256:
b340c9b1bfec30ce60b99b03ff6167d491883d4a41df0f1071a57697722e3906 3240
python-glance-store_4.1.0-4.dsc
a99a158e9c76187060010b911487277cd288da6d46e6fd0b3ca5a5a1d05a63d1 8260
python-glance-store_4.1.0-4.debian.tar.xz
e0cdecbf6d1c3e0df8ed258a82ee80851eec50660c1b4f3a88ace0e349ba268e 13777
python-glance-store_4.1.0-4_amd64.buildinfo
Files:
6e09396d5c6b1c08fa031211a09f7cfb 3240 python optional
python-glance-store_4.1.0-4.dsc
41fc1f93e30dc1fd4c03b96a4842e462 8260 python optional
python-glance-store_4.1.0-4.debian.tar.xz
f866fd0a35041f652ae116b01d6c3258 13777 python optional
python-glance-store_4.1.0-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmRd5aEACgkQ1BatFaxr
Q/55GQ//RryYSX6STMfw4ZJ2q/IP8fvKouZiODwDvLjqSF6Ib7I60SUFWw+bZESC
1q9nJYaxjU772FZvyFTX72lrYLFZUNRWfa/7shF+Q8/rtjoPdqygW3K3UULE3eLo
rutcJvM6/GM+MQudquMcfUaVIGbK/J5WZSOvKpm3EC1nAY1h1ov6wTh1alMhVqNT
3wmsuQOz/nWl1ltxQVDgJfxKkvN8nmZMNCT/ioIf5Qqu66zzlbjq1JUmpDFlXXUx
msDRoCjOSusJL1Ha/hk2PpBDdSxhHJdIuczZyqmZTl9YOMdO94ZLtivk2lC17iUZ
bhdzFtHoGENUIN2xOqhRtnOiNBeK6krfJMhCm23Rpy/wqb2SHzincn7MK1dojLUj
u1Bs7xu0CIsMJfxACygcJsf2viHK0SWXaj8VDVuixqLgCtzrjqANvkMsz8iClTs5
aRr/XjBtT9C+NEPoL4y8esh3Vnc7gbq+skVmJ7hWhqfvBVA/Q72NH77TtyEgwqyb
i8E0RgNiNY3pHmNCZERhm7QHMLqlo9tlU90NN/FTJ6nCc2iq6tL5BSA5x9SMtGiG
iuBt3KvEKhPi0CfxxK9tUbpuiwMjKwTVBD5O8qbUVFkAuRNn7TfmVzfD2/bJtNzC
UPQueTeAshqeAwMWNvUDPSw4kRpGKgTaFXVMpm4oomkiI2HzcL0=
=xDD0
-----END PGP SIGNATURE-----
--- End Message ---
