OSSA-2016-012: Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova

Date:

October 06, 2016

CVE:

CVE-2015-5162

Affects

• Cinder: <=7.0.2, >=8.0.0 <=8.1.1

• Glance: <=11.0.1, ==12.0.0

• Nova: <=12.0.4, ==13.0.0

Description

Richard W.M. Jones of Red Hat reported a vulnerability that affects OpenStack Cinder, Glance and Nova. By providing a maliciously crafted disk image an attacker can consume considerable amounts of RAM and CPU time resulting in a denial of service via resource exhaustion. Any project which makes calls to qemu-img without appropriate ulimit restrictions in place is affected by this flaw.

Patches

• https://review.openstack.org/382573 (cinder) (Liberty)

• https://review.openstack.org/378012 (glance) (Liberty)

• https://review.openstack.org/327624 (nova) (Liberty)

• https://review.openstack.org/375625 (cinder) (Mitaka)

• https://review.openstack.org/377736 (glance) (Mitaka)

• https://review.openstack.org/326327 (nova) (Mitaka)

• https://review.openstack.org/375102 (cinder) (Newton)

• https://review.openstack.org/377734 (glance) (Newton)

• https://review.openstack.org/307663 (nova) (Newton)

• https://review.openstack.org/375099 (cinder) (Ocata)

• https://review.openstack.org/375526 (glance) (Ocata)

Credits

• Richard W.M. Jones from Red Hat (CVE-2015-5162)

References

• https://launchpad.net/bugs/1449062

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5162

Notes

• Separate Ocata patches are listed for Cinder and Glance, as they were fixed during the Newton release freeze after it branched from master.