Bug 1194697 (CVE-2014-9684, CVE-2015-1881)

Summary: CVE-2014-9684 CVE-2015-1881 openstack-glance: potential resource exhaustion and denial of service using images manipulation API
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, akscram, alexander.sakhnov, apevec, ayoung, bfilippov, chrisw, dallan, eglynn, gkotton, gmollett, itamar, jobernar, jonathansteffan, jose.castro.leon, karlthered, lhh, lpeer, markmc, mlvov, mmagr, nsantos, p, rbryant, rk, sclewis, srevivo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-glance 2014.2.3 Doc Type: Bug Fix
Doc Text:
Multiple flaws were found in the glance task API that could cause untracked image data to be left in the back end. A malicious user could use these flaws to deliberately accumulate untracked image data, and cause a denial of service via resource exhaustion.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:38:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1197578, 1215919    
Bug Blocks: 1194702    
Attachments:
Description Flags
CVE-2015-1881 Juno Patch
none
CVE-2014-9684 Juno Patch none

Description Vasyl Kaigorodov 2015-02-20 14:55:53 UTC 
Following vulnerability has been reported in Openstack Glance:

Title: Glance import task leaks image in backend
Reporter: Abhishek Kekane (NTT)
Products: Glance
Affects: 2014.2 versions through 2014.2.2

Description:
Abhishek Kekane from NTT reported a vulnerability in the Glance import task.
By creating numerous images using the task API and deleting them, an
authenticated attacker may accumulate untracked image data in the backend
resulting in potential resource exhaustion and denial of service. All glance
setups using API v2 are affected.

References:
https://launchpad.net/bugs/1420696
https://launchpad.net/bugs/1422716

2 CVEs were assigned to this issue: http://seclists.org/oss-sec/2015/q1/603
Comment 1 Garth Mollett 2015-03-02 05:47:15 UTC 
Created openstack-glance tracking bugs for this issue:

Affects: openstack-rdo [bug 1197578]
Comment 4 Garth Mollett 2015-03-05 04:40:36 UTC 
Created attachment 998154 [details]
CVE-2015-1881 Juno Patch
Comment 5 Garth Mollett 2015-03-05 04:42:16 UTC 
Created attachment 998155 [details]
CVE-2014-9684 Juno Patch
Comment 7 errata-xmlrpc 2015-05-05 13:09:04 UTC 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:0938 https://rhn.redhat.com/errata/RHSA-2015-0938.html