Bug 1183647 (CVE-2014-9623)

Summary: CVE-2014-9623 openstack-glance: user storage quota bypass
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abaron, akscram, alexander.sakhnov, aortega, apevec, ayoung, bfilippov, chrisw, dallan, eglynn, fpercoco, gkotton, gmollett, itamar, jobernar, jonathansteffan, jose.castro.leon, karlthered, lhh, lpeer, markmc, mlvov, mmagr, ndipanov, nsantos, p, rbryant, rk, sclewis, vkaigoro, yeylon, yrabl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A storage quota bypass flaw was found in OpenStack Image (glance). If an image was deleted while it was being uploaded, it would not count towards a user's quota. A malicious user could use this flaw to deliberately fill the backing store, and cause a denial of service.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-17 07:28:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1187001, 1187002, 1187003, 1192212, 1192213    
Bug Blocks: 1183648    

Description Vasyl Kaigorodov 2015-01-19 11:49:10 UTC
Title: Glance user storage quota bypass
Reporter: Tushar Patil (NTT)
Products: Glance
Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1

Tushar Patil from NTT reported a vulnerability in Glance. By deleting images
that are being uploaded, a malicious user can overcome the storage quota and
thus may overrun the backend. Images in deleted state are not taken into
account by quota and won't be effectively deleted until the upload is
completed. Only Glance setups configured with user_storage_quota are



Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Tushar Patil of NTT as the original reporter.

Comment 1 Kurt Seifried 2015-01-23 20:18:52 UTC

Kilo (development branch) fix:

Juno fix:

Icehouse fix:

Comment 9 Flavio Percoco 2015-01-29 14:48:57 UTC
*** Bug 1117677 has been marked as a duplicate of this bug. ***

Comment 14 errata-xmlrpc 2015-03-05 19:30:45 UTC
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:0644 https://rhn.redhat.com/errata/RHSA-2015-0644.html

Comment 15 errata-xmlrpc 2015-04-16 13:58:37 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:0837 https://rhn.redhat.com/errata/RHSA-2015-0837.html

Comment 16 errata-xmlrpc 2015-04-16 15:09:03 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:0838 https://rhn.redhat.com/errata/RHSA-2015-0838.html