Public Date:
1508539: CVE-2017-16239 openstack-nova: Nova Filter Scheduler bypass through rebuild action
By rebuilding an instance using a new image, an authenticated user may be able to circumvent the Filter Scheduler, bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter).

Find out more about CVE-2017-16239 from the MITRE CVE dictionary dictionary and NIST NVD.


The upstream fix requires RequestSpec, which was introduced in OSP10. Patching versions, prior to version 10, comes with a considerable risk of introducing new bugs. Based on the impact of this vulnerability it was determined that OSP6 to 9 would not be fixed.

CVSS v3 metrics

CVSS3 Base Score 5.4
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact Low
Availability Impact Low

Red Hat Security Errata

Platform Errata Release Date
Red Hat OpenStack Platform 10 (openstack-nova) RHSA-2018:0369 2018-02-27
Red Hat OpenStack Platform 12.0 (openstack-nova) RHSA-2018:0241 2018-01-30
Red Hat OpenStack Platform 11.0 (Ocata) (openstack-nova) RHSA-2018:0314 2018-02-13

Affected Packages State

Platform Package State
Red Hat OpenStack Platform 9.0 openstack-nova Will not fix
Red Hat OpenStack Platform 8.0 (Liberty) openstack-nova Will not fix
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 openstack-nova Will not fix
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 openstack-nova Will not fix


Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges George Shuklin ( as the original reporter.
Last Modified