OSSA-2014-017: Nova VMware driver leaks rescued images¶

Date:: May 29, 2014
CVE:: CVE-2014-2573

Affects¶

Nova: from 2013.2 to 2013.2.3, and 2014.1

Description¶

Jaroslav Henner from Red Hat reported a vulnerability in Nova. By requesting Nova place an image into rescue, then deleting the image, an authenticated user my exceed their quota. This can result in a denial of service via excessive resource consumption. Only setups using the Nova VMware driver are affected.

Patches¶

https://review.openstack.org/#/c/89762 (Havana)
https://review.openstack.org/#/c/89768 (Havana)
https://review.openstack.org/#/c/88514 (Icehouse)
https://review.openstack.org/#/c/89217 (Icehouse)
https://review.openstack.org/#/c/75788 (Juno)
https://review.openstack.org/#/c/80284 (Juno)

Credits¶

Jaroslav Henner from Red Hat (CVE-2014-2573)

References¶

https://launchpad.net/bugs/1269418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2573

OSSA-2014-017: Nova VMware driver leaks rescued images