[openstack-announce] [OSSA 2013-029] Potential Nova denial of service through compressed disk images (CVE-2013-4463, CVE-2013-4469)

Thierry Carrez thierry at openstack.org
Thu Oct 31 16:47:16 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-029
CVE: CVE-2013-4463, CVE-2013-4469
Date: October 31, 2013
Title: Potential Nova denial of service through compressed disk images
Reporter: Bernhard M. Wiedemann (SUSE) & Pádraig Brady (Red Hat)
Products: Nova
Affects: All versions

Description:
Bernhard M. Wiedemann from SUSE reported a vulnerability in Nova's
control of the size of disk images. By using malicious compressed qcow2
disk images, an authenticated user may consume large amounts of disk
space for each image, potentially resulting in a Denial of Service
attack on Nova compute nodes (CVE-2013-4463). While fixing this issue,
Pádraig Brady from Red Hat additionally discovered that OSSA 2013-012
did not fully address CVE-2013-2096 in the non-default case where
use_cow_images=False, and malicious qcow images are being transferred
from Glance. In that specific case, an authenticated user could still
consume large amounts of disk space for each instance using the
malicious image, potentially also resulting in a Denial of Service
attack on Nova compute nodes (CVE-2013-4469). The provided fixes
address both issues.

Icehouse (development branch) fix:
https://review.openstack.org/54765

Havana fix:
https://review.openstack.org/54767

Grizzly fix:
https://review.openstack.org/54768

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4469
https://bugs.launchpad.net/nova/+bug/1206081

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJScomUAAoJEFB6+JAlsQQjKf8QALc4olBe4QHSUg+1Zxa2vPSI
+w8Mn6g3rU1CgDRnTmIeGMJaDy3ph7yyKbAiEWkv4wa4/HzJ4/fh79fu6C5kl9WN
A5wJUyhb1G2lMb1gMylnMoF4G/ei//dplnAqtht+kbiuqmbwhAs+MqMnOVqJwdrJ
QJIV7d9wNUD2SVDPMc1GEN9AFKHncuSHmI1UF5JQ1T8t5lhp8lo//0Vh8YiG6bCu
l9vvU4jJhuyfY7ehneMt4aLS6rLEMKg0o//yZ48+mBv8/i7WWSn2k+O3o7k3uv5r
AOfT7Q9fliQEjnuGvJdQieyGpCWJRvxWUZtApmjnt+yK/QW4w8OvP1S7grrA/hmN
HDewR4UVORDCTw1rU9inHu0tWUQ63T1JSdj7jqLfZLuYZXcILn0qS6Wm7yeZqEit
SRsA0wbEz22ArfFhJW1FvC80dpeue8KyeKPfsAM5tX70Fa3GubgTf88dXjc8Dpgv
xAmbvoF/1c3PmxsBiWG0sj44Sai82C/7YNedIyPdipGx9sX9rLHr1e9ZXmsNHED6
IT468mBedxcal8gNafHRJ/fr1OHVNCkapSOtIzZbHilYkwIFSFbT4VN2cgGstDfw
p60O59nc8jzl03vXtJ8Sata567VsxEM3b2g619hJDz8XLBqhmqoQKESqRS/b7veV
fP0hzFkhlAIwib9Ybb47
=s1nm
-----END PGP SIGNATURE-----



More information about the OpenStack-announce mailing list