OSSA-2014-028: Glance store DoS through disk space exhaustion¶

Date:: August 21, 2014
CVE:: CVE-2014-5356

Affects¶

Glance: up to 2013.2.3 and 2014.1 versions up to 2014.1.2

Description¶

Thomas Leaman and Stuart McLaren from Hewlett Packard reported a vulnerability in Glance. By uploading a large enough image to a Glance store, an authenticated user may fill the store space because the image_size_cap configuration option is not honored. This may prevent further image upload and/or cause service disruption. Note that the import method is not affected. All Glance setups using API v2 are affected (unless you use a policy to restrict/disable image upload).

Patches¶

https://review.openstack.org/#/c/115289 (Havana)
https://review.openstack.org/#/c/115280 (Icehouse)
https://review.openstack.org/#/c/91764 (Juno)

Credits¶

Thomas Leaman from HP (CVE-2014-5356)
Stuart McLaren from HP (CVE-2014-5356)

References¶

https://launchpad.net/bugs/1315321
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5356

OSSA-2014-028: Glance store DoS through disk space exhaustion