A vulnerability in openstack-glance allowing malicous user to cause DoS was reported. By deleting images that are being uploaded using a token that is about to expire, a malicious user can overcome the storage quota and accumulate untracked image data in the backend resulting in potential resource exhaustion and denial of service. All Glance setups using the V1 API are affected and all setups using the V2 API with the registry db_api enabled are affected. Affects: <=2014.2.3, >=2015.1.0, <=2015.1.1
Created attachment 1078568 [details] Master patch
Created attachment 1078569 [details] Stable/juno patch
Created attachment 1078570 [details] Stable/kilo patch
Not that it's now public upstream and proposed patch missed a fix for import task API V2: https://review.openstack.org/#/q/Ia6e1fe0d27b13b920ee7e728feb5305dec77e066,n,z
s/Not/Note/
Public via: https://bugs.launchpad.net/glance/+bug/1498163
Created openstack-glance tracking bugs for this issue: Affects: openstack-rdo [bug 1268208] Affects: fedora-all [bug 1268209]
Martin, attachments were correct, it just that this need an extra set of patch to fully address this CVE. You can preview the upcoming advisory (including all required changes review url) here: https://review.openstack.org/#/c/229950/2/ossa/OSSA-2015-020.yaml
Hi, I think we are missing BZs for OSP5/OSP6/OSP7 ?
(In reply to Tristan Cacqueray from comment #10) > Martin, attachments were correct, it just that this need an extra set of > patch to fully address this CVE. > > You can preview the upcoming advisory (including all required changes review > url) here: https://review.openstack.org/#/c/229950/2/ossa/OSSA-2015-020.yaml Ah, ok, I thought the ones you linked to were meant to replace the old ones. (In reply to Flavio Percoco from comment #11) > Hi, I think we are missing BZs for OSP5/OSP6/OSP7 ? These will be filed as soon as we're done with the analysis of this issue. Stay tuned!
Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Mike Fedosin and Alexei Galkin of Mirantis as the original reporters.
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 OpenStack 5 for RHEL 7 OpenStack 6 for RHEL 7 OpenStack 7 For RHEL 7 Via RHSA-2015:1897 https://rhn.redhat.com/errata/RHSA-2015-1897.html