VMware: possible collision of VNC ports
Bug #1255609 reported by
Radoslav Gerganov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Radoslav Gerganov | ||
Havana |
Fix Released
|
High
|
Tracy Jones | ||
VMwareAPI-Team |
In Progress
|
High
|
Unassigned |
Bug Description
We assign VNC ports to VM instances with the following method:
def _get_vnc_
"""Return VNC port for an VM."""
vm_id = int(vm_
port = CONF.vmware.
return port
the vm_id is a simple counter in vSphere which increments fast and there is a chance to get the same port number if the vm_ids are equal modulo vnc_port_total (10000 by default).
A report was received that if the port number is reused you may get access to the VNC console of another tenant. We need to fix the implementation to always choose a port number which is not taken or report an error if there are no free ports available.
Changed in nova: | |
assignee: | nobody → Radoslav Gerganov (rgerganov) |
information type: | Private Security → Public |
Changed in nova: | |
status: | Confirmed → In Progress |
no longer affects: | ossa |
Changed in nova: | |
milestone: | none → icehouse-1 |
milestone: | icehouse-1 → icehouse-2 |
Changed in nova: | |
importance: | Low → High |
importance: | High → Medium |
Changed in nova: | |
importance: | Medium → High |
Changed in openstack-vmwareapi-team: | |
importance: | Undecided → High |
tags: | added: havana-backport-potential |
Changed in openstack-vmwareapi-team: | |
status: | New → In Progress |
Changed in nova: | |
milestone: | icehouse-2 → icehouse-3 |
Changed in nova: | |
status: | Fix Committed → Fix Released |
tags: | removed: havana-backport-potential in-stable-havana |
Changed in nova: | |
milestone: | icehouse-3 → 2014.1 |
To post a comment you must log in.
Is this exploitable, or only something which occurrs by random chance? If the latter, I feel like we'd be better off opening the bug and fixing this in public as a security hardening improvement (possibly with an accompanying OSSN).
I've added the Nova security reviewers for confirmation of the issue, and to comment on any proposed patches in case this remains under embargo.