Bug 1268303 - (CVE-2015-5162) CVE-2015-5162 openstack-nova/glance/cinder: Malicious image may exhaust resources
CVE-2015-5162 openstack-nova/glance/cinder: Malicious image may exhaust resou...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150629,repor...
: Security
: 1267576 (view as bug list)
Depends On: 1382554 1382574 1382575 1267576 1328957 1382549 1382550 1382551 1382552 1382553 1382555 1382556 1382557 1382558 1382559 1382560 1382561 1382562 1382563 1382564 1382565 1382566 1382567 1382568 1382569 1382570 1382571 1382572 1382573
Blocks: 1268306
  Show dependency treegraph
 
Reported: 2015-10-02 09:23 EDT by Adam Mariš
Modified: 2018-01-08 10:53 EST (History)
57 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A resource vulnerability in the OpenStack Compute (nova), Block Storage (cinder), and Image (glance) services was found in their use of qemu-img. An unprivileged user could consume as much as 4 GB of RAM on the compute host by uploading a malicious image. This flaw could lead possibly to host out-of-memory errors and negatively affect other running tenant instances. oslo.concurrency has been updated to support process limits ('prlimit'), which is needed to fix this flaw.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-03-02 19:04:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2923 normal SHIPPED_LIVE Moderate: openstack-cinder and openstack-glance security update 2016-12-07 22:20:01 EST
Red Hat Product Errata RHSA-2016:2991 normal SHIPPED_LIVE Moderate: openstack-cinder, openstack-glance, and openstack-nova update 2016-12-21 16:34:31 EST
Red Hat Product Errata RHSA-2017:0153 normal SHIPPED_LIVE Moderate: openstack-cinder security update 2017-01-19 13:20:36 EST
Red Hat Product Errata RHSA-2017:0156 normal SHIPPED_LIVE Moderate: openstack-cinder security update 2017-01-19 13:19:47 EST
Red Hat Product Errata RHSA-2017:0165 normal SHIPPED_LIVE Moderate: openstack-cinder security update 2017-01-19 13:22:24 EST
Red Hat Product Errata RHSA-2017:0282 normal SHIPPED_LIVE Moderate: openstack-cinder, openstack-glance, and openstack-nova security update 2017-02-15 22:52:44 EST

  None (edit)
Description Adam Mariš 2015-10-02 09:23:06 EDT
A vulnerability in openstack-nova was found, allowing an unprivileged user to consume as much as 4 GB of RAM on the host by uploading malicoius image, possibly leading to OOM on the compute host, negatively affecting the other running instances for other tenants.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1267576

Upstream bug:

https://bugs.launchpad.net/ossa/+bug/1449062
Comment 2 Summer Long 2016-10-06 21:38:36 EDT
Upstream patches have been released:
- https://review.openstack.org/382573 (cinder) (Liberty)
- https://review.openstack.org/378012 (glance) (Liberty)
- https://review.openstack.org/327624 (nova) (Liberty)
- https://review.openstack.org/375625 (cinder) (Mitaka)
- https://review.openstack.org/377736 (glance) (Mitaka)
- https://review.openstack.org/326327 (nova) (Mitaka)
- https://review.openstack.org/375102 (cinder) (Newton)
- https://review.openstack.org/377734 (glance) (Newton)
- https://review.openstack.org/307663 (nova) (Newton)
- https://review.openstack.org/375099 (cinder) (Ocata)
- https://review.openstack.org/375526 (glance) (Ocata)
Comment 6 Summer Long 2016-10-07 00:57:06 EDT
Created openstack-nova tracking bugs for this issue:

Affects: openstack-rdo [bug 1382553]
Affects: fedora-all [bug 1382554]
Comment 7 Summer Long 2016-10-07 00:57:24 EDT
Created openstack-cinder tracking bugs for this issue:

Affects: openstack-rdo [bug 1382572]
Affects: fedora-all [bug 1382574]
Comment 8 Summer Long 2016-10-07 00:57:41 EDT
Created openstack-glance tracking bugs for this issue:

Affects: openstack-rdo [bug 1382573]
Affects: fedora-all [bug 1382575]
Comment 9 Summer Long 2016-10-11 21:18:36 EDT
Acknowledgments:

Name: Richard W.M. Jones (Red Hat)
Comment 15 errata-xmlrpc 2016-12-07 17:20:17 EST
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2016:2923 https://rhn.redhat.com/errata/RHSA-2016-2923.html
Comment 16 errata-xmlrpc 2016-12-21 11:38:32 EST
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2016:2991 https://rhn.redhat.com/errata/RHSA-2016-2991.html
Comment 17 errata-xmlrpc 2017-01-19 08:27:50 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7

Via RHSA-2017:0156 https://rhn.redhat.com/errata/RHSA-2017-0156.html
Comment 18 errata-xmlrpc 2017-01-19 08:29:20 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7

Via RHSA-2017:0153 https://rhn.redhat.com/errata/RHSA-2017-0153.html
Comment 19 errata-xmlrpc 2017-01-19 08:33:32 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6

Via RHSA-2017:0165 https://rhn.redhat.com/errata/RHSA-2017-0165.html
Comment 20 errata-xmlrpc 2017-02-15 17:53:20 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2017:0282 https://rhn.redhat.com/errata/RHSA-2017-0282.html
Comment 21 Summer Long 2017-02-15 18:26:36 EST
Hi Kashyap, looks like the Hitachi bug (1267576) is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1382552, which has been dealt with in CVE-2015-5162, and released in RHSA-2017:0282. Can you confirm? thanks, Summer
Comment 22 Kashyap Chamarthy 2017-03-01 09:22:13 EST
(In reply to Summer Long from comment #21)
> Hi Kashyap, looks like the Hitachi bug (1267576) is a duplicate of
> https://bugzilla.redhat.com/show_bug.cgi?id=1382552, which has been dealt
> with in CVE-2015-5162, and released in RHSA-2017:0282. Can you confirm?
> thanks, Summer

Hi Summer, sorry for the delayed response. 

Yes you are correct.  Just to double-confirm, I checked in the RHOS-7 Git, too (if you look at the end, it indeed says:  "Resolves: rhbz#1382552").

I will close the RHOS-7 Hitachi bug, with this pointer.

------------------------------------------------------------------------
commit a7084406eb6d34de55c4a6ecae26ae3c400500b3
Author:     Daniel P. Berrange <berrange@redhat.com>
AuthorDate: Mon Apr 18 16:32:19 2016 +0000
Commit:     Kashyap Chamarthy <kchamart@redhat.com>
CommitDate: Tue Oct 18 10:15:24 2016 -0400

    virt: set address space & CPU time limits when running qemu-img
    
    This uses the new 'prlimit' parameter for oslo.concurrency execute
    method, to set an address space limit of 1GB and CPU time limit
    of 2 seconds, when running qemu-img.
    
    This is a re-implementation of the previously reverted commit
    
    commit da217205f53f9a38a573fb151898fbbeae41021d
    Author: Tristan Cacqueray <tdecacqu@redhat.com>
    Date:   Wed Aug 5 17:17:04 2015 +0000
    
        virt: Use preexec_fn to ulimit qemu-img info call
    
    NOTE (kchamart) [stable/liberty]: Add a check for the presence of
    'ProcessLimits' attribute (which is only present in
    oslo.concurrency>=2.6.1; and a conditional check for 'prlimit' parameter
    in qemu_img_info() method.
    
    Upstream discussion[1][2] that led to merging this patch to
    stable/liberty branch.
    
    [1] http://lists.openstack.org/pipermail/openstack-dev/2016-September/104091.html
    [2] http://lists.openstack.org/pipermail/openstack-dev/2016-September/104303.html
    
    NOTE (kchamart) [RHOS-7]:
     - Conflicts:
        - nova/tests/unit/virt/libvirt/test_driver.py
        - nova/virt/images.py
    
     - Update test_qemu_info_with_errors() in tests/unit/virt/test_images.py
        - The fix catches 'ProcessExecutionError', and raises it as
          'InvalidDiskInfo' exception.  However, the test was still catching
          ProcessExecutionError -- update it to catch 'InvalidDiskInfo'.
        - Remove the now-unused import of 'processutils'
    
     - Upstream-Liberty: https://review.openstack.org/#/c/327624/
        - [Kilo is EOL, hence backporting from Liberty branch]
    
    Resolves: rhbz#1382552
    Closes-Bug: #1449062
    Change-Id: I135b5242af1bfdcb0ea09a6fcda21fc03a6fbe7d
    (cherry picked from commit 068d851561addfefb2b812d91dc2011077cb6e1d)
    (cherry picked from commit 6bc37dcceca823998068167b49aec6def3112397)
    Reviewed-on: https://code.engineering.redhat.com/gerrit/87164
    Tested-by: RHOS Jenkins <apevec+rhosci@redhat.com>
    Reviewed-by: Sahid Ferdjaoui <sahid.ferdjaoui@redhat.com>
    Reviewed-by: Michal Pryc <mpryc@redhat.com>
------------------------------------------------------------------------
Comment 23 Ollie Walsh 2018-01-08 10:53:30 EST
*** Bug 1267576 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.