Bug 1131770 (CVE-2014-5356)

Summary: CVE-2014-5356 openstack-glance: Glance store disk space exhaustion
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, akscram, alexander.sakhnov, aortega, apevec, apevec, ayoung, bfilippov, chazlett, chrisw, dallan, d.busby, eglynn, fpercoco, gkotton, itamar, jobernar, jonathansteffan, jose.castro.leon, jrusnack, lhh, lpeer, markmc, mlvov, mmagr, ndipanov, nsantos, p, rbryant, rk, sclewis, vdanen, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that the image_size_cap configuration option in glance was not honored. An authenticated user could use this flaw to upload an image to glance and consume all available storage space, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-22 20:08:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1131771, 1131772, 1131773, 1131774, 1132310, 1132311, 1132312    
Bug Blocks: 1131776, 1147810    

Description Murray McAllister 2014-08-20 04:13:40 UTC 
The OpenStack project reports:

""
Thomas Leaman and Stuart McLaren from Hewlett Packard reported a
vulnerability in Glance. By uploading a large enough image to a Glance
store, an authenticated user may fill the store space because the
image_size_cap configuration option is not honored. This may prevent
further image upload and/or cause service disruption. Note that the
import method is not affected. All Glance setups using API v2 are
affected (unless you use a policy to restrict/disable image upload).
""

This affects versions up to 2013.2.3 and 2014.1 to 2014.1.2.

References:

http://seclists.org/oss-sec/2014/q3/410
https://bugs.launchpad.net/glance/+bug/1315321
https://review.openstack.org/#/c/91764/
Comment 2 Murray McAllister 2014-08-20 04:15:10 UTC 
Created openstack-glance tracking bugs for this issue:

Affects: epel-6 [bug 1131771]
Comment 3 Murray McAllister 2014-08-20 04:16:00 UTC 
Created openstack-glance tracking bugs for this issue:

Affects: fedora-19 [bug 1131773]
Affects: fedora-20 [bug 1131774]
Comment 6 errata-xmlrpc 2014-09-30 17:15:27 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2014:1338 https://rhn.redhat.com/errata/RHSA-2014-1338.html
Comment 7 errata-xmlrpc 2014-09-30 17:16:24 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2014:1337 https://rhn.redhat.com/errata/RHSA-2014-1337.html
Comment 8 Fedora Update System 2014-10-18 16:59:05 UTC 
openstack-glance-2013.2.4-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Martin Prpič 2014-10-20 11:46:47 UTC 
IssueDescription:

It was discovered that the image_size_cap configuration option in glance was not honored. An authenticated user could use this flaw to upload an image to glance and consume all available storage space, resulting in a denial of service.
Comment 10 errata-xmlrpc 2014-10-22 17:23:39 UTC 
This issue has been addressed in the following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:1685 https://rhn.redhat.com/errata/RHSA-2014-1685.html