Bug 963462 (CVE-2013-2096)

Summary: CVE-2013-2096 OpenStack Nova: fails to verify image virtual size denial of service
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, akscram, alexander.sakhnov, aortega, apevec, apevec, asalkeld, ayoung, bfilippov, breu, chrisw, dallan, d.busby, gmollett, Jan.van.Eldik, jkt, jlieskov, jonathansteffan, jose.castro.leon, markmc, matt_domsch, mlvov, mmagr, ndipanov, p, rbryant, rhos-maint, rkukura, sclewis, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-10 00:51:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 963463, 963470, 963727, 963728    
Bug Blocks: 963471    

Description Kurt Seifried 2013-05-15 20:24:36 UTC 
Michael Still (mikal) reports:

Title: Nova fails to verify image virtual size
Reporter: Loganathan Parthipan
Products: Nova
Affects: All versions

Loganathan Parthipan publicly reported a vulnerability in Nova. Nova
did not implement checking for the virtual size of a qcow2 image used
as ephemeral storage for instances. It is therefore possible for a
user to create an image which has a large virtual size, but little
data. Once the instance is created, the user can then proceed to fill
the virtual disk, and consume all available disk on the host node file
system.

Havana (development branch) fix:
https://review.openstack.org/28717

Grizzly fix:
https://review.openstack.org/28901

Folsom fix:
https://review.openstack.org/29192

References:
https://bugs.launchpad.net/nova/+bug/1177830
Comment 3 Jan Lieskovsky 2013-05-16 12:55:50 UTC 
Public via:
  http://www.openwall.com/lists/oss-security/2013/05/16/7
Comment 4 Jan Lieskovsky 2013-05-16 13:30:21 UTC 
This issue did NOT affect the version of the openstack-nova package, as shipped with Fedora release of 17.

--

This issue affects the version of the openstack-nova package, as shipped with Fedora release of 18. Please schedule an update.

--

This issue affects the version of the openstack-nova package, as shipped with Fedora EPEL-6. Please schedule an update.
Comment 5 Jan Lieskovsky 2013-05-16 13:31:46 UTC 
Created openstack-nova tracking bugs for this issue

Affects: fedora-18 [bug 963727]
Affects: epel-6 [bug 963728]
Comment 6 Kurt Seifried 2013-06-10 19:23:46 UTC 
This issue has been addressed in following products:

  Red Hat OpenStack 3.0 Snap 1

Via RHBA-2013-0878 https://rhn.redhat.com/errata/RHBA-2013-0878.html
Comment 7 Kurt Seifried 2013-07-04 06:54:22 UTC 
Statement:

The Red Hat Security Response Team has rated this issue as having moderate security impact. This issue is not currently planned to be addressed in OpenStack 2.1 (Folsom). This issue is planned to be addressed in version OpenStack 3.0 (Grizzly). For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 8 Jan Lieskovsky 2013-07-10 09:24:39 UTC 
Upstream patches:
  https://review.openstack.org/28717 (Havana)
  https://review.openstack.org/28901 (Grizzly)
  https://review.openstack.org/29192 (Folsom)

External References:

http://lists.openstack.org/pipermail/openstack-announce/2013-May/000102.html