[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1742102] Re: Simple user can disable compute

On discussing with Dan Smith, the related denial of service condition
described in this report has been a known risk since the introduction of
the feature and generally falls below the threshold for broad
publication in an advisory. The related fixes merged back as far as
stable/pike will mitigate it (or can be tuned to greater extremes to do
so if necessary) and are accompanied by a security release note. Since
this report is already public, I'm going to mark this as a security
hardening opportunity (class D in our VMT report taxonomy[*]) with no
OSSA task needed. If there is a strong objection that an advisory is
needed, then we can revisit publishing one.


** Information type changed from Public Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Tags added: security

You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.

  Simple user can disable compute

Status in OpenStack Compute (nova):
  In Progress
Status in OpenStack Compute (nova) pike series:
Status in OpenStack Compute (nova) queens series:
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:

  When I tested a fresh deploy of Pike, I created a private network with
  a little subnet like /28. If you try to create a lot of new instances,
  nova failed because which doesn't have free IP for the creation of new

  The fail trace is

  So after that, the trigger consecutive_build_service_disable_threshold
  up to 10 very fast and computes are disable.

To manage notifications about this bug go to: