| Summary: | CVE-2015-5295 openstack-heat: Vulnerability in Heat template validation leading to DoS | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||||||
| Severity: | medium | Docs Contact: | |||||||||||||
| Priority: | medium | ||||||||||||||
| Version: | unspecified | CC: | abaron, aortega, apevec, augol, ayoung, chrisw, cvsbot-xmlrpc, dallan, gkotton, gmollett, jpeeler, jschluet, lhh, lpeer, markmc, mburns, rbryant, sbaker, sclewis, security-response-team, shardy, slong, tdecacqu, yeylon, zbitter | ||||||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||||||
| Target Release: | --- | ||||||||||||||
| Hardware: | All | ||||||||||||||
| OS: | Linux | ||||||||||||||
| Whiteboard: | |||||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||
| Doc Text: |
A vulnerability was discovered in the OpenStack Orchestration service (heat), where a specially formatted template could be used to trick the heat-engine service into opening a local file. Although the file contents are never disclosed to the end user, an OpenStack-authenticated attacker could use this flaw to cause a denial of service or determine whether a given file name is present on the server.
|
Story Points: | --- | ||||||||||||
| Clone Of: | Environment: | ||||||||||||||
| Last Closed: | 2016-03-14 09:58:35 UTC | Type: | --- | ||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||
| Documentation: | --- | CRM: | |||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
| Bug Depends On: | 1298808, 1298809, 1298810, 1298811, 1298812, 1300090, 1300091 | ||||||||||||||
| Bug Blocks: | 1298296 | ||||||||||||||
| Attachments: |
|
||||||||||||||
|
Description
Adam Mariš
2016-01-13 16:49:00 UTC
Created attachment 1114470 [details]
Master/mitaka patch
Created attachment 1114471 [details]
Stable/kilo patch
Created attachment 1114472 [details]
Stable/liberty patch
Created attachment 1114967 [details]
stable/juno patch
Created attachment 1114968 [details]
stable/icehouse patch
Created openstack-heat tracking bugs for this issue: Affects: fedora-all [bug 1300091] openstack-heat-2015.1.2-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. Acknowledgements: This issue was discovered by Steven Hardy of Red Hat. This issue has been addressed in the following products: OpenStack 7 For RHEL 7 Via RHSA-2016:0266 https://rhn.redhat.com/errata/RHSA-2016-0266.html This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 Via RHSA-2016:0442 https://rhn.redhat.com/errata/RHSA-2016-0442.html This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 Via RHSA-2016:0441 https://rhn.redhat.com/errata/RHSA-2016-0441.html This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 Via RHSA-2016:0440 https://rhn.redhat.com/errata/RHSA-2016-0440.html |