================================================================ OSSA-2016-012: Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova ================================================================ :Date: October 06, 2016 :CVE: CVE-2015-5162 Affects ~~~~~~~ - Cinder: <=7.0.2, >=8.0.0 <=8.1.1 - Glance: <=11.0.1, ==12.0.0 - Nova: <=12.0.4, ==13.0.0 Description ~~~~~~~~~~~ Richard W.M. Jones of Red Hat reported a vulnerability that affects OpenStack Cinder, Glance and Nova. By providing a maliciously crafted disk image an attacker can consume considerable amounts of RAM and CPU time resulting in a denial of service via resource exhaustion. Any project which makes calls to qemu-img without appropriate ulimit restrictions in place is affected by this flaw. Patches ~~~~~~~ - https://review.openstack.org/382573 (cinder) (Liberty) - https://review.openstack.org/378012 (glance) (Liberty) - https://review.openstack.org/327624 (nova) (Liberty) - https://review.openstack.org/375625 (cinder) (Mitaka) - https://review.openstack.org/377736 (glance) (Mitaka) - https://review.openstack.org/326327 (nova) (Mitaka) - https://review.openstack.org/375102 (cinder) (Newton) - https://review.openstack.org/377734 (glance) (Newton) - https://review.openstack.org/307663 (nova) (Newton) - https://review.openstack.org/375099 (cinder) (Ocata) - https://review.openstack.org/375526 (glance) (Ocata) Credits ~~~~~~~ - Richard W.M. Jones from Red Hat (CVE-2015-5162) References ~~~~~~~~~~ - https://launchpad.net/bugs/1449062 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5162 Notes ~~~~~ - Separate Ocata patches are listed for Cinder and Glance, as they were fixed during the Newton release freeze after it branched from master. -- Jeremy Stanley OpenStack Vulnerability Management Team