Bug 1268303 (CVE-2015-5162)
Summary: | CVE-2015-5162 openstack-nova/glance/cinder: Malicious image may exhaust resources | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abaron, akscram, alexander.sakhnov, aortega, apevec, apevec, ayoung, berrange, bfilippov, bleanhar, ccoleman, chrisw, cvsbot-xmlrpc, cyril, dallan, dasmith, dmcphers, eglynn, eharney, fpercoco, gkotton, itamar, jdetiber, jhakimra, jialiu, jjoyce, jkeck, jobernar, jokerman, jonathansteffan, jose.castro.leon, jschluet, karlthered, kbasil, kchamart, kseifried, lhh, lmeyer, lpeer, markmc, masaki.kimura.kz, mburns, mlvov, mmagr, mmccomas, ndipanov, nova-maint, nsantos, rbryant, rk, sbauza, sclewis, security-response-team, sferdjao, sgordon, slinaber, slong, srevivo, tdecacqu, tshefi, vromanso, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
A resource vulnerability in the OpenStack Compute (nova), Block Storage (cinder), and Image (glance) services was found in their use of qemu-img. An unprivileged user could consume as much as 4 GB of RAM on the compute host by uploading a malicious image. This flaw could lead possibly to host out-of-memory errors and negatively affect other running tenant instances.
oslo.concurrency has been updated to support process limits ('prlimit'), which is needed to fix this flaw.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-03-03 00:04:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1267576, 1328957, 1382549, 1382550, 1382551, 1382552, 1382553, 1382554, 1382555, 1382556, 1382557, 1382558, 1382559, 1382560, 1382561, 1382562, 1382563, 1382564, 1382565, 1382566, 1382567, 1382568, 1382569, 1382570, 1382571, 1382572, 1382573, 1382574, 1382575 | ||
Bug Blocks: | 1268306 |
Description
Adam Mariš
2015-10-02 13:23:06 UTC
Upstream patches have been released: - https://review.openstack.org/382573 (cinder) (Liberty) - https://review.openstack.org/378012 (glance) (Liberty) - https://review.openstack.org/327624 (nova) (Liberty) - https://review.openstack.org/375625 (cinder) (Mitaka) - https://review.openstack.org/377736 (glance) (Mitaka) - https://review.openstack.org/326327 (nova) (Mitaka) - https://review.openstack.org/375102 (cinder) (Newton) - https://review.openstack.org/377734 (glance) (Newton) - https://review.openstack.org/307663 (nova) (Newton) - https://review.openstack.org/375099 (cinder) (Ocata) - https://review.openstack.org/375526 (glance) (Ocata) Created openstack-nova tracking bugs for this issue: Affects: openstack-rdo [bug 1382553] Affects: fedora-all [bug 1382554] Created openstack-cinder tracking bugs for this issue: Affects: openstack-rdo [bug 1382572] Affects: fedora-all [bug 1382574] Created openstack-glance tracking bugs for this issue: Affects: openstack-rdo [bug 1382573] Affects: fedora-all [bug 1382575] Acknowledgments: Name: Richard W.M. Jones (Red Hat) This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 (Mitaka) Via RHSA-2016:2923 https://rhn.redhat.com/errata/RHSA-2016-2923.html This issue has been addressed in the following products: Red Hat OpenStack Platform 8.0 (Liberty) Via RHSA-2016:2991 https://rhn.redhat.com/errata/RHSA-2016-2991.html This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 Via RHSA-2017:0156 https://rhn.redhat.com/errata/RHSA-2017-0156.html This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 Via RHSA-2017:0153 https://rhn.redhat.com/errata/RHSA-2017-0153.html This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 Via RHSA-2017:0165 https://rhn.redhat.com/errata/RHSA-2017-0165.html This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 Via RHSA-2017:0282 https://rhn.redhat.com/errata/RHSA-2017-0282.html Hi Kashyap, looks like the Hitachi bug (1267576) is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1382552, which has been dealt with in CVE-2015-5162, and released in RHSA-2017:0282. Can you confirm? thanks, Summer (In reply to Summer Long from comment #21) > Hi Kashyap, looks like the Hitachi bug (1267576) is a duplicate of > https://bugzilla.redhat.com/show_bug.cgi?id=1382552, which has been dealt > with in CVE-2015-5162, and released in RHSA-2017:0282. Can you confirm? > thanks, Summer Hi Summer, sorry for the delayed response. Yes you are correct. Just to double-confirm, I checked in the RHOS-7 Git, too (if you look at the end, it indeed says: "Resolves: rhbz#1382552"). I will close the RHOS-7 Hitachi bug, with this pointer. ------------------------------------------------------------------------ commit a7084406eb6d34de55c4a6ecae26ae3c400500b3 Author: Daniel P. Berrange <berrange> AuthorDate: Mon Apr 18 16:32:19 2016 +0000 Commit: Kashyap Chamarthy <kchamart> CommitDate: Tue Oct 18 10:15:24 2016 -0400 virt: set address space & CPU time limits when running qemu-img This uses the new 'prlimit' parameter for oslo.concurrency execute method, to set an address space limit of 1GB and CPU time limit of 2 seconds, when running qemu-img. This is a re-implementation of the previously reverted commit commit da217205f53f9a38a573fb151898fbbeae41021d Author: Tristan Cacqueray <tdecacqu> Date: Wed Aug 5 17:17:04 2015 +0000 virt: Use preexec_fn to ulimit qemu-img info call NOTE (kchamart) [stable/liberty]: Add a check for the presence of 'ProcessLimits' attribute (which is only present in oslo.concurrency>=2.6.1; and a conditional check for 'prlimit' parameter in qemu_img_info() method. Upstream discussion[1][2] that led to merging this patch to stable/liberty branch. [1] http://lists.openstack.org/pipermail/openstack-dev/2016-September/104091.html [2] http://lists.openstack.org/pipermail/openstack-dev/2016-September/104303.html NOTE (kchamart) [RHOS-7]: - Conflicts: - nova/tests/unit/virt/libvirt/test_driver.py - nova/virt/images.py - Update test_qemu_info_with_errors() in tests/unit/virt/test_images.py - The fix catches 'ProcessExecutionError', and raises it as 'InvalidDiskInfo' exception. However, the test was still catching ProcessExecutionError -- update it to catch 'InvalidDiskInfo'. - Remove the now-unused import of 'processutils' - Upstream-Liberty: https://review.openstack.org/#/c/327624/ - [Kilo is EOL, hence backporting from Liberty branch] Resolves: rhbz#1382552 Closes-Bug: #1449062 Change-Id: I135b5242af1bfdcb0ea09a6fcda21fc03a6fbe7d (cherry picked from commit 068d851561addfefb2b812d91dc2011077cb6e1d) (cherry picked from commit 6bc37dcceca823998068167b49aec6def3112397) Reviewed-on: https://code.engineering.redhat.com/gerrit/87164 Tested-by: RHOS Jenkins <apevec+rhosci> Reviewed-by: Sahid Ferdjaoui <sahid.ferdjaoui> Reviewed-by: Michal Pryc <mpryc> ------------------------------------------------------------------------ *** Bug 1267576 has been marked as a duplicate of this bug. *** |