** No longer affects: nova/diablo ** No longer affects: nova/essex
-- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1069904 Title: [OSSA 2013-001] No authentication on block device used for os- volume_boot Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) folsom series: Fix Released Status in OpenStack Security Advisories: Fix Released Status in “nova” package in Debian: Fix Released Bug description: We found this problem in our Diablo code base - I think by inspection its still valid in upstream as well but a bit harder to check as the code has changed (BootFromVolumeController no longer exists, and os- volume_boot now just inherits from the servers API). Fillling anyway as its pretty serious, in the hope that someone can verify or dismiss it. Boot from volume allows a volume to be passed to the create method via the block_device_mapping parameter. This parameter is not validated as having to be a volume belonging to the user creating the instance, so providing I know the valid ID of a volume belonging to another user I can create VM and gain access to that volume (c.f volume attachment which does make explicit checks for both the ownership and status of a volume) The volume ownership and status should be explicitly checked in the compute.api layer To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1069904/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
