OSSA-2015-013: Glance task flow may fail to delete image from backend

OSSA-2015-013: Glance task flow may fail to delete image from backend¶

Date:: July 28, 2015
CVE:: CVE-2015-3289

Affects¶

Glance: versions 2015.1.0

Description¶

Abhishek Kekane from NTT reported a vulnerability in Glance. By creating numerous images using the import task flow API and deleting them, an authenticated attacker may accumulate untracked image data in the backend resulting in potential resource exhaustion and denial of service. All glance setups are affected.

Patches¶

https://review.openstack.org/#/c/181816/ (Kilo)
https://review.openstack.org/#/c/181345/ (Liberty)

Credits¶

Abhishek Kekane from NTT (CVE-2015-3289)

References¶

Notes¶

This fix will be included in the future 2015.1.1 (kilo) release.

this page last updated: 2024-03-18 15:52:07

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.