CVE-2017-17051

Impact:
Moderate
Public Date:
2017-12-05
CWE:
CWE-400
Bugzilla:
1519231: CVE-2017-17051 openstack-nova: Nova FilterScheduler doubles resource allocations during rebuild with new image

The MITRE CVE dictionary describes this issue as:

An issue was discovered in the default FilterScheduler in OpenStack Nova 16.0.3. By repeatedly rebuilding an instance with new images, an authenticated user may consume untracked resources on a hypervisor host leading to a denial of service, aka doubled resource allocations. This regression was introduced with the fix for OSSA-2017-005 (CVE-2017-16239); however, only Nova stable/pike or later deployments with that fix applied and relying on the default FilterScheduler are affected.

Find out more about CVE-2017-17051 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This vulnerability was caused by the fix for a prior vulnerability (CVE-2017-16239). No patches for the earlier vulnerability were released for Red Hat OpenStack before the discover of the new vulnerability. Therefore, current versions of Red Hat OpenStack are not affected by this vulnerability.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 5.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact Low

Affected Packages State

Platform Package State
Red Hat OpenStack Platform 9.0 openstack-nova Not affected
Red Hat OpenStack Platform 8.0 (Liberty) openstack-nova Not affected
Red Hat OpenStack Platform 12.0 openstack-nova Not affected
Red Hat OpenStack Platform 11.0 (Ocata) openstack-nova Not affected
Red Hat OpenStack Platform 10 openstack-nova Not affected
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 openstack-nova Not affected
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 openstack-nova Not affected

Acknowledgements

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Matt Riedemann (Huawei) as the original reporter.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.