Red Hat Bugzilla – Bug 1131770
CVE-2014-5356 openstack-glance: Glance store disk space exhaustion
Last modified: 2016-04-26 10:21:26 EDT
The OpenStack project reports: "" Thomas Leaman and Stuart McLaren from Hewlett Packard reported a vulnerability in Glance. By uploading a large enough image to a Glance store, an authenticated user may fill the store space because the image_size_cap configuration option is not honored. This may prevent further image upload and/or cause service disruption. Note that the import method is not affected. All Glance setups using API v2 are affected (unless you use a policy to restrict/disable image upload). "" This affects versions up to 2013.2.3 and 2014.1 to 2014.1.2. References: http://seclists.org/oss-sec/2014/q3/410 https://bugs.launchpad.net/glance/+bug/1315321 https://review.openstack.org/#/c/91764/
Created openstack-glance tracking bugs for this issue: Affects: epel-6 [bug 1131771]
Created openstack-glance tracking bugs for this issue: Affects: fedora-19 [bug 1131773] Affects: fedora-20 [bug 1131774]
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2014:1338 https://rhn.redhat.com/errata/RHSA-2014-1338.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1337 https://rhn.redhat.com/errata/RHSA-2014-1337.html
openstack-glance-2013.2.4-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
IssueDescription: It was discovered that the image_size_cap configuration option in glance was not honored. An authenticated user could use this flaw to upload an image to glance and consume all available storage space, resulting in a denial of service.
This issue has been addressed in the following products: OpenStack 4 for RHEL 6 Via RHSA-2014:1685 https://rhn.redhat.com/errata/RHSA-2014-1685.html