[openstack-announce] [OSSA 2014-017] Nova VMWare driver leaks rescued images (CVE-2014-2573)

Jeremy Stanley jeremy at openstack.org
Thu May 29 19:45:44 UTC 2014


OpenStack Security Advisory: 2014-017
CVE: CVE-2014-2573
Date: May 29, 2014
Title: Nova VMWare driver leaks rescued images
Reporter: Jaroslav Henner (Red Hat)
Products: Nova
Versions: from 2013.2 to 2013.2.3, and 2014.1

Description:
Jaroslav Henner from Red Hat reported a vulnerability in Nova. By
requesting Nova place an image into rescue, then deleting the image,
an authenticated user my exceed their quota. This can result in a
denial of service via excessive resource consumption. Only setups
using the Nova VMWare driver are affected.

Juno (development branch) fix:
https://review.openstack.org/75788
https://review.openstack.org/80284

Icehouse fix:
https://review.openstack.org/88514
https://review.openstack.org/89217

Havana fix:
https://review.openstack.org/89762
https://review.openstack.org/89768

Notes:
This fix will be included in the juno-1 development milestone and in
future 2013.2.4 and 2014.1.1 releases.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2573
https://launchpad.net/bugs/1269418

-- 
Jeremy Stanley
OpenStack Vulnerability Management Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140529/1c5c577d/attachment.pgp>


More information about the OpenStack-announce mailing list