Comment 64 for bug 1449062
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) | #64 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
I'm resurrecting Grant's proposed impact description from comment #28 and updating for the year of time which has passed since. I've also edited it to remove references to Cinder and Glance... are those effectively still impacted in any supported branches? I see that the tasks API in Glance becoming admin-only in Mitaka results in this being impractical there, but what about for Liberty? And there's little input from Cinder on this bug at all but the claim is that it's exploitable there as well. Is that still the case today?
--
Title: Malicious input to qemu-img may result in resource exhaustion
Reporter: Richard W.M. Jones
Product: Nova
Affects: <=12.0.4, ==13.0.0
Description:
Richard W.M. Jones of Red Hat reported a vulnerability that affects OpenStack
Nova. By providing a maliciously crafted disk image an attacker can consume
considerable amounts of RAM and CPU time resulting in a denial of service via
resource exhaustion. Any project which makes calls to qemu-img without
appropriate ulimit restrictions in place is affected by this flaw.