Bug 1268303 (CVE-2015-5162)

Summary: CVE-2015-5162 openstack-nova/glance/cinder: Malicious image may exhaust resources
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, akscram, alexander.sakhnov, aortega, apevec, apevec, ayoung, berrange, bfilippov, bleanhar, ccoleman, chrisw, cvsbot-xmlrpc, cyril, dallan, dasmith, dmcphers, eglynn, eharney, fpercoco, gkotton, itamar, jdetiber, jhakimra, jialiu, jjoyce, jkeck, jobernar, jokerman, jonathansteffan, jose.castro.leon, jschluet, karlthered, kbasil, kchamart, kseifried, lhh, lmeyer, lpeer, markmc, masaki.kimura.kz, mburns, mlvov, mmagr, mmccomas, ndipanov, nova-maint, nsantos, rbryant, rk, sbauza, sclewis, security-response-team, sferdjao, sgordon, slinaber, slong, srevivo, tdecacqu, tshefi, vromanso, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A resource vulnerability in the OpenStack Compute (nova), Block Storage (cinder), and Image (glance) services was found in their use of qemu-img. An unprivileged user could consume as much as 4 GB of RAM on the compute host by uploading a malicious image. This flaw could lead possibly to host out-of-memory errors and negatively affect other running tenant instances. oslo.concurrency has been updated to support process limits ('prlimit'), which is needed to fix this flaw.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-03 00:04:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1267576, 1328957, 1382549, 1382550, 1382551, 1382552, 1382553, 1382554, 1382555, 1382556, 1382557, 1382558, 1382559, 1382560, 1382561, 1382562, 1382563, 1382564, 1382565, 1382566, 1382567, 1382568, 1382569, 1382570, 1382571, 1382572, 1382573, 1382574, 1382575    
Bug Blocks: 1268306    

Description Adam Mariš 2015-10-02 13:23:06 UTC
A vulnerability in openstack-nova was found, allowing an unprivileged user to consume as much as 4 GB of RAM on the host by uploading malicoius image, possibly leading to OOM on the compute host, negatively affecting the other running instances for other tenants.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1267576

Upstream bug:

https://bugs.launchpad.net/ossa/+bug/1449062

Comment 2 Summer Long 2016-10-07 01:38:36 UTC
Upstream patches have been released:
- https://review.openstack.org/382573 (cinder) (Liberty)
- https://review.openstack.org/378012 (glance) (Liberty)
- https://review.openstack.org/327624 (nova) (Liberty)
- https://review.openstack.org/375625 (cinder) (Mitaka)
- https://review.openstack.org/377736 (glance) (Mitaka)
- https://review.openstack.org/326327 (nova) (Mitaka)
- https://review.openstack.org/375102 (cinder) (Newton)
- https://review.openstack.org/377734 (glance) (Newton)
- https://review.openstack.org/307663 (nova) (Newton)
- https://review.openstack.org/375099 (cinder) (Ocata)
- https://review.openstack.org/375526 (glance) (Ocata)

Comment 6 Summer Long 2016-10-07 04:57:06 UTC
Created openstack-nova tracking bugs for this issue:

Affects: openstack-rdo [bug 1382553]
Affects: fedora-all [bug 1382554]

Comment 7 Summer Long 2016-10-07 04:57:24 UTC
Created openstack-cinder tracking bugs for this issue:

Affects: openstack-rdo [bug 1382572]
Affects: fedora-all [bug 1382574]

Comment 8 Summer Long 2016-10-07 04:57:41 UTC
Created openstack-glance tracking bugs for this issue:

Affects: openstack-rdo [bug 1382573]
Affects: fedora-all [bug 1382575]

Comment 9 Summer Long 2016-10-12 01:18:36 UTC
Acknowledgments:

Name: Richard W.M. Jones (Red Hat)

Comment 15 errata-xmlrpc 2016-12-07 22:20:17 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2016:2923 https://rhn.redhat.com/errata/RHSA-2016-2923.html

Comment 16 errata-xmlrpc 2016-12-21 16:38:32 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2016:2991 https://rhn.redhat.com/errata/RHSA-2016-2991.html

Comment 17 errata-xmlrpc 2017-01-19 13:27:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7

Via RHSA-2017:0156 https://rhn.redhat.com/errata/RHSA-2017-0156.html

Comment 18 errata-xmlrpc 2017-01-19 13:29:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7

Via RHSA-2017:0153 https://rhn.redhat.com/errata/RHSA-2017-0153.html

Comment 19 errata-xmlrpc 2017-01-19 13:33:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6

Via RHSA-2017:0165 https://rhn.redhat.com/errata/RHSA-2017-0165.html

Comment 20 errata-xmlrpc 2017-02-15 22:53:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2017:0282 https://rhn.redhat.com/errata/RHSA-2017-0282.html

Comment 21 Summer Long 2017-02-15 23:26:36 UTC
Hi Kashyap, looks like the Hitachi bug (1267576) is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1382552, which has been dealt with in CVE-2015-5162, and released in RHSA-2017:0282. Can you confirm? thanks, Summer

Comment 22 Kashyap Chamarthy 2017-03-01 14:22:13 UTC
(In reply to Summer Long from comment #21)
> Hi Kashyap, looks like the Hitachi bug (1267576) is a duplicate of
> https://bugzilla.redhat.com/show_bug.cgi?id=1382552, which has been dealt
> with in CVE-2015-5162, and released in RHSA-2017:0282. Can you confirm?
> thanks, Summer

Hi Summer, sorry for the delayed response. 

Yes you are correct.  Just to double-confirm, I checked in the RHOS-7 Git, too (if you look at the end, it indeed says:  "Resolves: rhbz#1382552").

I will close the RHOS-7 Hitachi bug, with this pointer.

------------------------------------------------------------------------
commit a7084406eb6d34de55c4a6ecae26ae3c400500b3
Author:     Daniel P. Berrange <berrange>
AuthorDate: Mon Apr 18 16:32:19 2016 +0000
Commit:     Kashyap Chamarthy <kchamart>
CommitDate: Tue Oct 18 10:15:24 2016 -0400

    virt: set address space & CPU time limits when running qemu-img
    
    This uses the new 'prlimit' parameter for oslo.concurrency execute
    method, to set an address space limit of 1GB and CPU time limit
    of 2 seconds, when running qemu-img.
    
    This is a re-implementation of the previously reverted commit
    
    commit da217205f53f9a38a573fb151898fbbeae41021d
    Author: Tristan Cacqueray <tdecacqu>
    Date:   Wed Aug 5 17:17:04 2015 +0000
    
        virt: Use preexec_fn to ulimit qemu-img info call
    
    NOTE (kchamart) [stable/liberty]: Add a check for the presence of
    'ProcessLimits' attribute (which is only present in
    oslo.concurrency>=2.6.1; and a conditional check for 'prlimit' parameter
    in qemu_img_info() method.
    
    Upstream discussion[1][2] that led to merging this patch to
    stable/liberty branch.
    
    [1] http://lists.openstack.org/pipermail/openstack-dev/2016-September/104091.html
    [2] http://lists.openstack.org/pipermail/openstack-dev/2016-September/104303.html
    
    NOTE (kchamart) [RHOS-7]:
     - Conflicts:
        - nova/tests/unit/virt/libvirt/test_driver.py
        - nova/virt/images.py
    
     - Update test_qemu_info_with_errors() in tests/unit/virt/test_images.py
        - The fix catches 'ProcessExecutionError', and raises it as
          'InvalidDiskInfo' exception.  However, the test was still catching
          ProcessExecutionError -- update it to catch 'InvalidDiskInfo'.
        - Remove the now-unused import of 'processutils'
    
     - Upstream-Liberty: https://review.openstack.org/#/c/327624/
        - [Kilo is EOL, hence backporting from Liberty branch]
    
    Resolves: rhbz#1382552
    Closes-Bug: #1449062
    Change-Id: I135b5242af1bfdcb0ea09a6fcda21fc03a6fbe7d
    (cherry picked from commit 068d851561addfefb2b812d91dc2011077cb6e1d)
    (cherry picked from commit 6bc37dcceca823998068167b49aec6def3112397)
    Reviewed-on: https://code.engineering.redhat.com/gerrit/87164
    Tested-by: RHOS Jenkins <apevec+rhosci>
    Reviewed-by: Sahid Ferdjaoui <sahid.ferdjaoui>
    Reviewed-by: Michal Pryc <mpryc>
------------------------------------------------------------------------

Comment 23 Ollie Walsh 2018-01-08 15:53:30 UTC
*** Bug 1267576 has been marked as a duplicate of this bug. ***