[Openstack] [OSSA 2016-012] Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova (CVE-2015-5162)

Jeremy Stanley fungi at yuggoth.org
Thu Oct 6 19:42:34 UTC 2016 

================================================================
OSSA-2016-012: Malicious qemu-img input may exhaust resources in
Cinder, Glance, Nova
================================================================

:Date: October 06, 2016
:CVE: CVE-2015-5162


Affects
~~~~~~~
- Cinder: <=7.0.2, >=8.0.0 <=8.1.1
- Glance: <=11.0.1, ==12.0.0
- Nova: <=12.0.4, ==13.0.0


Description
~~~~~~~~~~~
Richard W.M. Jones of Red Hat reported a vulnerability that affects
OpenStack Cinder, Glance and Nova. By providing a maliciously
crafted disk image an attacker can consume considerable amounts of
RAM and CPU time resulting in a denial of service via resource
exhaustion. Any project which makes calls to qemu-img without
appropriate ulimit restrictions in place is affected by this flaw.


Patches
~~~~~~~
- https://review.openstack.org/382573 (cinder) (Liberty)
- https://review.openstack.org/378012 (glance) (Liberty)
- https://review.openstack.org/327624 (nova) (Liberty)
- https://review.openstack.org/375625 (cinder) (Mitaka)
- https://review.openstack.org/377736 (glance) (Mitaka)
- https://review.openstack.org/326327 (nova) (Mitaka)
- https://review.openstack.org/375102 (cinder) (Newton)
- https://review.openstack.org/377734 (glance) (Newton)
- https://review.openstack.org/307663 (nova) (Newton)
- https://review.openstack.org/375099 (cinder) (Ocata)
- https://review.openstack.org/375526 (glance) (Ocata)


Credits
~~~~~~~
- Richard W.M. Jones from Red Hat (CVE-2015-5162)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1449062
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5162


Notes
~~~~~
- Separate Ocata patches are listed for Cinder and Glance, as they
  were fixed during the Newton release freeze after it branched from
  master.


-- 
Jeremy Stanley
OpenStack Vulnerability Management Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20161006/49137923/attachment.sig>

More information about the Openstack mailing list