CVE-2017-16239
First published: Wed Nov 01 2017(Updated: )
By rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter). All setups using Nova Filter Scheduler are affected. Affected versions: <=14.0.9, >=15.0.0 <=15.0.7, >=16.0.0 <=16.0.2 Bug report: <a href="https://launchpad.net/bugs/1664931">https://launchpad.net/bugs/1664931</a>
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenStack Nova | <=14.0.9 | |
| OpenStack Nova | =15.0.0 | |
| OpenStack Nova | =15.0.1 | |
| OpenStack Nova | =15.0.2 | |
| OpenStack Nova | =15.0.3 | |
| OpenStack Nova | =15.0.4 | |
| OpenStack Nova | =15.0.5 | |
| OpenStack Nova | =15.0.6 | |
| OpenStack Nova | =15.0.7 | |
| OpenStack Nova | =16.0.0 | |
| OpenStack Nova | =16.0.1 | |
| OpenStack Nova | =16.0.2 | |
| debian/nova | 2:18.1.0-6 2:18.1.0-6+deb10u2 2:22.0.1-2+deb11u1 2:26.1.0-4 2:28.0.0-2 | |
| pip/nova | >=14.0.0<14.0.10 | 14.0.10 |
| pip/nova | >=15.0.0<15.0.8 | 15.0.8 |
| pip/nova | >=16.0.0<16.0.3 | 16.0.3 |
| <=14.0.9 | ||
| =15.0.0 | ||
| =15.0.1 | ||
| =15.0.2 | ||
| =15.0.3 | ||
| =15.0.4 | ||
| =15.0.5 | ||
| =15.0.6 | ||
| =15.0.7 | ||
| =16.0.0 | ||
| =16.0.1 | ||
| =16.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2017-16239
- https://review.openstack.org/519684
- https://review.openstack.org/519681
- https://review.openstack.org/519672
- https://review.openstack.org/519662
- https://launchpad.net/bugs/1664931
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16239
- https://security-tracker.debian.org/tracker/CVE-2017-1705
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882009
- http://www.securityfocus.com/bid/101950
- https://access.redhat.com/errata/RHSA-2018:0241
- https://access.redhat.com/errata/RHSA-2018:0314
- https://access.redhat.com/errata/RHSA-2018:0369
- https://security.openstack.org/ossa/OSSA-2017-005.html
- https://www.debian.org/security/2017/dsa-4056
- https://www.openwall.com/lists/oss-security/2017/12/05/4
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1346603&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1346603&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1346604&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1346604&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1346605&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1346605&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1346606&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1346606&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1513187
- https://bugzilla.redhat.com/show_bug.cgi?id=1508539
- https://nvd.nist.gov/vuln/detail/CVE-2017-16239
- https://github.com/openstack/nova/commit/698b261a5a2a6c0f31ef5059046ef7196d5cba30
- https://github.com/openstack/nova/commit/984dd8ad6add4523d93c7ce5a666a32233e02e34
- https://github.com/openstack/nova/commit/9e2d63da94db63d97bd02e373bfc53d95808b833
- https://github.com/openstack/nova/commit/b72105c1c49fcddc94992af63fc2f8078023491a
- https://github.com/advisories/GHSA-w2wf-cgwh-vpqg (Advisory)
Frequently Asked Questions
What is CVE-2017-16239?
CVE-2017-16239 is a vulnerability in OpenStack Nova that allows an authenticated user to bypass imposed filters by rebuilding an instance.
What is the severity of CVE-2017-16239?
The severity of CVE-2017-16239 is medium with a CVSS score of 6.5.
How does CVE-2017-16239 affect OpenStack Nova?
CVE-2017-16239 affects OpenStack Nova versions 14.0.9 through 16.0.2.
How can an authenticated user exploit CVE-2017-16239?
An authenticated user can exploit CVE-2017-16239 by rebuilding an instance, which allows them to bypass imposed filters like the ImagePropertiesFilter or the IsolatedHostsFilter.
Is there a fix available for CVE-2017-16239?
Yes, the fix for CVE-2017-16239 is available in the following versions: 2:18.1.0-6, 2:18.1.0-6+deb10u2, 2:22.0.1-2+deb11u1, 2:26.1.0-4, and 2:28.0.0-2.
- collector/debian-bugs
- alias/CVE-2017-16239
- collector/nvd-index
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-w2wf-cgwh-vpqg
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/severity
- agent/description
- agent/author
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/openstack
- canonical/openstack nova
- version/openstack nova/14.0.9
- version/openstack nova/15.0.0
- version/openstack nova/15.0.1
- version/openstack nova/15.0.2
- version/openstack nova/15.0.3
- version/openstack nova/15.0.4
- version/openstack nova/15.0.5
- version/openstack nova/15.0.6
- version/openstack nova/15.0.7
- version/openstack nova/16.0.0
- version/openstack nova/16.0.1
- version/openstack nova/16.0.2
- package-manager/debian
- package-manager/pip