** Changed in: nova
Status: Fix Committed => Fix Released
** Changed in: nova
Milestone: None => juno-3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1276862
Title:
Nova libvirt driver live migration should sanitize target host
Status in OpenStack Compute (Nova):
Fix Released
Status in OpenStack Security Advisories:
Invalid
Bug description:
In nova, an administrator can specify the target host for a libvirt
live migrate action.
This host is formatted into a base string (default="qemu+tcp://%s/system")
https://github.com/openstack/nova/blob/744fa6b7b88b131e0b9f5a1eca88b14a7351b540/nova/virt/libvirt/driver.py#L158
and then passed directly to libvirt as a target URI:
https://github.com/openstack/nova/blob/744fa6b7b88b131e0b9f5a1eca88b14a7351b540/nova/virt/libvirt/driver.py#L4270
dom.migrateToURI(CONF.libvirt.live_migration_uri % dest,
The host does not appear to be validated, stripped, or otherwise checked to
make sure that the value is reasonable. This allows an admin to attempt to
migrate an instance out of a cloud (which may or may not be a security issue).
Much more importantly, libvirt's URI format accepts many parameters in this
URI, some of which allow execution of arbitrary commands at the same privilege
level as libvirt.
http://libvirt.org/remote.html#Remote_URI_reference
Due to later checks it does not appear to be exploitable, but it
should nevertheless be fixed to avoid future issues.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1276862/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
