Bug 1267516 (CVE-2015-5286)
| Summary: | CVE-2015-5286 openstack-glance: Storage overrun by deleting images | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | unspecified | CC: | abaron, aortega, apevec, ayoung, chrisw, cyril, dallan, eglynn, fpercoco, gkotton, gmollett, jjoyce, jrusnack, jschluet, kbasil, lhh, lpeer, markmc, mburns, rbryant, sclewis, security-response-team, slinaber, slong, srevivo, tdecacqu, yeylon | ||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: |
A race-condition flaw was discovered in the OpenStack Image service (glance). When images in the upload state were deleted using a token close to expiration, untracked image data could accumulate in the back end. Because untracked data does not count towards the storage quota, an attacker could use this flaw to cause a denial of service through resource exhaustion.
|
Story Points: | --- | ||||||||
| Clone Of: | |||||||||||
| : | 1272824 (view as bug list) | Environment: | |||||||||
| Last Closed: | 2015-10-15 21:40:36 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | 1268208, 1268209, 1269275, 1269276, 1269277, 1269278 | ||||||||||
| Bug Blocks: | 1263515, 1267518 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Adam Mariš
2015-09-30 09:10:08 UTC
Created attachment 1078568 [details]
Master patch
Created attachment 1078569 [details]
Stable/juno patch
Created attachment 1078570 [details]
Stable/kilo patch
Not that it's now public upstream and proposed patch missed a fix for import task API V2: https://review.openstack.org/#/q/Ia6e1fe0d27b13b920ee7e728feb5305dec77e066,n,z s/Not/Note/ Public via: https://bugs.launchpad.net/glance/+bug/1498163 Created openstack-glance tracking bugs for this issue: Affects: openstack-rdo [bug 1268208] Affects: fedora-all [bug 1268209] Martin, attachments were correct, it just that this need an extra set of patch to fully address this CVE. You can preview the upcoming advisory (including all required changes review url) here: https://review.openstack.org/#/c/229950/2/ossa/OSSA-2015-020.yaml Hi, I think we are missing BZs for OSP5/OSP6/OSP7 ? (In reply to Tristan Cacqueray from comment #10) > Martin, attachments were correct, it just that this need an extra set of > patch to fully address this CVE. > > You can preview the upcoming advisory (including all required changes review > url) here: https://review.openstack.org/#/c/229950/2/ossa/OSSA-2015-020.yaml Ah, ok, I thought the ones you linked to were meant to replace the old ones. (In reply to Flavio Percoco from comment #11) > Hi, I think we are missing BZs for OSP5/OSP6/OSP7 ? These will be filed as soon as we're done with the analysis of this issue. Stay tuned! Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Mike Fedosin and Alexei Galkin of Mirantis as the original reporters. This issue has been addressed in the following products: OpenStack 5 for RHEL 6 OpenStack 5 for RHEL 7 OpenStack 6 for RHEL 7 OpenStack 7 For RHEL 7 Via RHSA-2015:1897 https://rhn.redhat.com/errata/RHSA-2015-1897.html |