Comment 28 for bug 1449062
Revision history for this message
| Grant Murphy (gmurphy) wrote Re: qemu-img calls need to be restricted by ulimit | #28 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Draft impact description:
Title: Malicious input to qemu-img may result in resource exhaustion
Reporter: Richard W.M. Jones
Product: Nova, Cinder, Glance
Affects:
Nova: 2012.1.0 versions through 2015.1.0,
Cinder: 2013.1.0 versions through 2015.1.0,
Glance: 2015.1.0
Description:
Richard W.M. Jones of Red Hat reported a vulnerability that affects several
OpenStack projects including Nova, Glance, and Cinder. By providing a
maliciously crafted disk image an attacker can consume considerable amounts
of RAM and CPU time resulting in a denial of service via resource exhaustion.
Any project which makes calls to qemu-img without appropriate ulimit restrictions
in place is affected by this flaw.