OSSA-2016-012: Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova

Date:October 06, 2016


  • Cinder: <=7.0.2, >=8.0.0 <=8.1.1
  • Glance: <=11.0.1, ==12.0.0
  • Nova: <=12.0.4, ==13.0.0


Richard W.M. Jones of Red Hat reported a vulnerability that affects OpenStack Cinder, Glance and Nova. By providing a maliciously crafted disk image an attacker can consume considerable amounts of RAM and CPU time resulting in a denial of service via resource exhaustion. Any project which makes calls to qemu-img without appropriate ulimit restrictions in place is affected by this flaw.


  • Richard W.M. Jones from Red Hat (CVE-2015-5162)


  • Separate Ocata patches are listed for Cinder and Glance, as they were fixed during the Newton release freeze after it branched from master.