OSSA-2016-012: Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova

OSSA-2016-012: Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova

Date:October 06, 2016
CVE:CVE-2015-5162

Affects

  • Cinder: <=7.0.2, >=8.0.0 <=8.1.1
  • Glance: <=11.0.1, ==12.0.0
  • Nova: <=12.0.4, ==13.0.0

Description

Richard W.M. Jones of Red Hat reported a vulnerability that affects OpenStack Cinder, Glance and Nova. By providing a maliciously crafted disk image an attacker can consume considerable amounts of RAM and CPU time resulting in a denial of service via resource exhaustion. Any project which makes calls to qemu-img without appropriate ulimit restrictions in place is affected by this flaw.

Credits

  • Richard W.M. Jones from Red Hat (CVE-2015-5162)

Notes

  • Separate Ocata patches are listed for Cinder and Glance, as they were fixed during the Newton release freeze after it branched from master.
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.