Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 6 Oct 2016 19:43:01 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2016-012] Malicious qemu-img input may exhaust resources in
 Cinder, Glance, Nova (CVE-2015-5162)

================================================================
OSSA-2016-012: Malicious qemu-img input may exhaust resources in
Cinder, Glance, Nova
================================================================

:Date: October 06, 2016
:CVE: CVE-2015-5162


Affects
~~~~~~~
- Cinder: <=7.0.2, >=8.0.0 <=8.1.1
- Glance: <=11.0.1, ==12.0.0
- Nova: <=12.0.4, ==13.0.0


Description
~~~~~~~~~~~
Richard W.M. Jones of Red Hat reported a vulnerability that affects
OpenStack Cinder, Glance and Nova. By providing a maliciously
crafted disk image an attacker can consume considerable amounts of
RAM and CPU time resulting in a denial of service via resource
exhaustion. Any project which makes calls to qemu-img without
appropriate ulimit restrictions in place is affected by this flaw.


Patches
~~~~~~~
- https://review.openstack.org/382573 (cinder) (Liberty)
- https://review.openstack.org/378012 (glance) (Liberty)
- https://review.openstack.org/327624 (nova) (Liberty)
- https://review.openstack.org/375625 (cinder) (Mitaka)
- https://review.openstack.org/377736 (glance) (Mitaka)
- https://review.openstack.org/326327 (nova) (Mitaka)
- https://review.openstack.org/375102 (cinder) (Newton)
- https://review.openstack.org/377734 (glance) (Newton)
- https://review.openstack.org/307663 (nova) (Newton)
- https://review.openstack.org/375099 (cinder) (Ocata)
- https://review.openstack.org/375526 (glance) (Ocata)


Credits
~~~~~~~
- Richard W.M. Jones from Red Hat (CVE-2015-5162)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1449062
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5162


Notes
~~~~~
- Separate Ocata patches are listed for Cinder and Glance, as they
  were fixed during the Newton release freeze after it branched from
  master.


-- 
Jeremy Stanley
OpenStack Vulnerability Management Team

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ