Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova (CVE-2015-5162) (OSSA-2016-012)
Bug #1636739 reported by
Adam Heczko
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
High
|
Rodion Tikunov | ||
7.0.x |
Won't Fix
|
High
|
MOS Maintenance | ||
8.0.x |
Fix Released
|
High
|
MOS Maintenance | ||
9.x |
Fix Released
|
High
|
Rodion Tikunov |
Bug Description
Detailed bug description:
Richard W.M. Jones of Red Hat reported a vulnerability that affects OpenStack Cinder, Glance and Nova. By providing a maliciously crafted disk image an attacker can consume considerable amounts of RAM and CPU time resulting in a denial of service via resource exhaustion. Any project which makes calls to qemu-img without appropriate ulimit restrictions in place is affected by this flaw.
Changed in mos: | |
status: | Invalid → Fix Released |
information type: | Private Security → Public Security |
summary: |
Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova - (CVE-2015-5162) + (CVE-2015-5162) (OSSA-2016-012) |
To post a comment you must log in.
Fixes are in http:// www.openwall. com/lists/ oss-security/ 2016/10/ 06/8
Maintenance Team, please check whether the fixes for 9.x were obtained with a sync-from-mitaka, for 8.0 with a sync-from-liberty. For 7.0 please prepare CRs.