#1111689 OSSN-0094: Ensuring Volume Safety with Nova and Watcher

Package:
src:nova
Source:
src:nova
Submitter:
Thomas Goirand
Date:
2025-08-21 10:45:01 UTC
Severity:
normal
Tags:
#1111689#5
Date:
2025-08-21 07:12:31 UTC
From:
To:
This is a copy from the openstack-announce message.

OSSN-0094: Ensuring Volume Safety with Nova and Watcher

== Summary ==
A vulnerability has been identified in OpenStack Nova and OpenStack Watcher
in conjunction with volume swap operations performed by the Watcher service.
Under specific circumstances, this can lead to a situation where two Nova
libvirt instances could reference the same block device, allowing accidental
information disclosure to the unauthorized instance.

== Affected Services / Software ==

Services: Nova,Watcher
Releases: all supported releases

== Discussion ==

The issue occurs when Watcher's zone migration strategy performs the following
sequence of events:

1. Watcher initiates a volume swap using Nova's internal-only volume swap API
2. Watcher initiates a live migration of the same instance
3. In some error cases connection details may have failed to update storage references. These invalid details are used during the live migration.

=== Required Access ===
The swap volume, live migration and all Watcher APIs are admin only so with
default policy is only possible to create the inconsistent state described in
this OSSN if you have admin rights on the relevant OpenStack project.

=== Further Watcher Hardening ===
The Watcher service, when first created, often implemented its own means
to perform operations. Many of those operations can now be done natively
via other OpenStack services. In the specific context of OSSN-0094,
the ability to migrate Cinder volumes between storage backends is such an
example.

Additionally, the Cinder volume migration in Watcher created a new Keystone
user with the admin role assigned for the instance owners' project and then
used that user to perform API requests on behalf of the project. This code
has been removed.

Finally, due to limited error handling and no validation that the objects
involved were migrated properly, some error scenarios could have led to
a source volume being deleted despite not having been migrated properly.

=== Resolution ===
Nova will now reject any request to swap a volume that has an empty migration
status, effectively restricting the usage of this API to Cinder. This brings
the API validation in line with the documentation.

Watchers internal implementation of swap volume has been deleted and updated
to use Cinder's native volume migration as a replacement. Watcher no longer
creates temporary Keystone users in normal operation.

=== Patches ===
Patches for Nova and Watcher have been backported to all supported stable
branches and committed to master branch.

stable/2025.1:
* Watcher: https://review.opendev.org/c/openstack/watcher/+/957770
* Nova: https://review.opendev.org/c/openstack/nova/+/957759

stable/2024.2:
* Watcher: https://review.opendev.org/c/openstack/watcher/+/957773
* Nova: https://review.opendev.org/c/openstack/nova/+/957762

stable/2024.1:
* Watcher: https://review.opendev.org/c/openstack/watcher/+/957774
* Nova: https://review.opendev.org/c/openstack/nova/+/957764

== Recommended Actions ==

* Operators using Watcher's zone migration strategy should apply the provided Watcher and Nova patches as soon as possible.
* Operators should refrain from using the swap volume migration action in Watcher. The compatibility code for swap volume that uses a Cinder-based migration may be removed in a future API version.
* Operators should audit all users with the admin role and ensure no temporary Watcher-created users remain.
* Operators using custom policy for volume attachment (''/servers/{server_id}/os-volume_attachments/{volume_id}'')   or live migration API should review the state of existing instances which have had volume migrations. Any instance in an inconsistent state can be resolved by hard rebooting the instance using Nova's API.

== Contacts / References ==
* Author: Sean Mooney <smooney@redhat.com>, Jay Faulkner <jay@jvf.cc>
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0094
* Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/2112187
* Mailing List : [Security] tag on openstack-discuss@lists.openstack.org
* OpenStack Security Project : https://launchpad.net/~openstack-ossg
* CVE: None
#1111689#10
Date:
2025-08-21 08:24:47 UTC
From:
To:
Hello,

Bug #1111689 in nova reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/nova/-/commit/b07992c35c269f3a14b141beefc1441e928115ae
------------------------------------------------------------------------
* A vulnerability has been identified in OpenStack Nova and OpenStack Watcher
    in conjunction with volume swap operations performed by the Watcher
    service. Under specific circumstances, this can lead to a situation where
    two Nova libvirt instances could reference the same block device, allowing
    accidental information disclosure to the unauthorized instance. Added
    upstream patch: OSSN-0094_restrict_swap_volume_to_cinder.patch.
    (Closes: #1111689).
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1111689
#1111689#15
Date:
2025-08-21 08:36:02 UTC
From:
To:
Hello,

Bug #1111689 in nova reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/openstack-team/services/nova/-/commit/67f51608c9207564cfaf245648a76a54b744c801
------------------------------------------------------------------------
* A vulnerability has been identified in OpenStack Nova and OpenStack Watcher
    in conjunction with volume swap operations performed by the Watcher
    service. Under specific circumstances, this can lead to a situation where
    two Nova libvirt instances could reference the same block device, allowing
    accidental information disclosure to the unauthorized instance. Added
    upstream patch: OSSN-0094_restrict_swap_volume_to_cinder.patch.
    (Closes: #1111689).
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1111689
#1111689#20
Date:
2025-08-21 08:37:28 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1111689@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated nova package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 21 Aug 2025 09:10:49 +0200
Source: nova
Architecture: source
Version: 2:31.0.0-7
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1111689
Changes:
 nova (2:31.0.0-7) unstable; urgency=high
 .
   * A vulnerability has been identified in OpenStack Nova and OpenStack Watcher
     in conjunction with volume swap operations performed by the Watcher
     service. Under specific circumstances, this can lead to a situation where
     two Nova libvirt instances could reference the same block device, allowing
     accidental information disclosure to the unauthorized instance. Added
     upstream patch: OSSN-0094_restrict_swap_volume_to_cinder.patch.
     (Closes: #1111689).
   * Blacklist non-deterministic unit test:
     - ComputeTestCase.test_add_remove_fixed_ip_updates_instance_updated_at
Checksums-Sha1:
 f8556222ce32b80c7a39144a5e6df8f747d8dabf 4822 nova_31.0.0-7.dsc
 837eacf6b43711c4e8bca7568d80947b81b7275f 70824 nova_31.0.0-7.debian.tar.xz
 95a6a7ba4a00114bb9665e8a7c4bd07298e71f68 25503 nova_31.0.0-7_amd64.buildinfo
Checksums-Sha256:
 0a65e1db55d356385cb02cbe6fe7aa444042cd2e65dacd8208e74a31c8a2ef39 4822 nova_31.0.0-7.dsc
 04d6ea9baf324e28763c039789b785062624e5da20ed1793e703acec8420c8d2 70824 nova_31.0.0-7.debian.tar.xz
 e09e7190b0e9df92240471f5c2551aadc33ab83a4946fd192192293c37def026 25503 nova_31.0.0-7_amd64.buildinfo
Files:
 31926f6495f465cb56fabd9e040f3a1f 4822 net optional nova_31.0.0-7.dsc
 adfb5a134f826e50d1adccf00f712c28 70824 net optional nova_31.0.0-7.debian.tar.xz
 987195d30a2fdf852f166a195b0100a3 25503 net optional nova_31.0.0-7_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmim19cACgkQ1BatFaxr
Q/74pQ//XmQUWSexnngZvqTgOPtV5208pPPC21cAEXgtcluO/4kDmtsluQJBhpNZ
0i77L7U17ScTMxuoVUE5PR7nHgQRHYj58CtDGXnI/yrffCnAyJ1A2t2j/MqNcptf
ZIaDXHNHuvshcgvfIjeeYRk1Ur7rgHBCMMIF6TaVWvbaJi53BGYJz5lImnHtQ40h
/qaGR7+uT/HEhjdP/l2rfPx1pCYqFHy2Ef9SAGtBRSIk7w/XQ78FqcKQoGUMngRZ
S51H5f7RnCUPFVBvZz7wUIsvxElua6dYIz7c6sKc5iAVhEk0d3rGY8kQbxVywWWj
5HW9kjmFIJ4yJAHao/RD3rUfVMN4VKwVDUFPRDZYfbC5Di9Hz68ZQERdstA778VO
i7fL8UepKpZLIm+YxTfYyRKjQexk4JzMknfN+JXOE6ngXQ6gkjAbCnvqrjUMsDkv
41s9a3uVHJ+x3Ppqv+pkl5o+P1+lknBPLgkFwc7fcYTD1Ar8gzOSTcPG8IGxDIKH
MzMHV8pu+zV8h/V4cttyDDTBc6wJm+Sbab4OGzFf4fCGcjdb8CKXRhpVeOSVUxVe
Q4XKLdvnjdJMnXId6vDgWP+lw9GqagSf6Vbu66aKNQLvhFAPAE6Gb9BC6FIGwzTu
wCYE1XDMV/Q1apeo1TWIBKtgWZssEJGnK4g0YyosYcaL5YrDUGg=
=gtXf
-----END PGP SIGNATURE-----