Bug 963462 (CVE-2013-2096) - CVE-2013-2096 OpenStack Nova: fails to verify image virtual size denial of service
Summary: CVE-2013-2096 OpenStack Nova: fails to verify image virtual size denial of se...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-2096
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 963463 963470 963727 963728
Blocks: 963471
TreeView+ depends on / blocked
 
Reported: 2013-05-15 20:24 UTC by Kurt Seifried
Modified: 2021-02-17 07:42 UTC (History)
30 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-10 00:51:23 UTC
Embargoed:


Attachments (Terms of Use)

Description Kurt Seifried 2013-05-15 20:24:36 UTC
Michael Still (mikal) reports:

Title: Nova fails to verify image virtual size
Reporter: Loganathan Parthipan
Products: Nova
Affects: All versions

Loganathan Parthipan publicly reported a vulnerability in Nova. Nova
did not implement checking for the virtual size of a qcow2 image used
as ephemeral storage for instances. It is therefore possible for a
user to create an image which has a large virtual size, but little
data. Once the instance is created, the user can then proceed to fill
the virtual disk, and consume all available disk on the host node file
system.

Havana (development branch) fix:
https://review.openstack.org/28717

Grizzly fix:
https://review.openstack.org/28901

Folsom fix:
https://review.openstack.org/29192

References:
https://bugs.launchpad.net/nova/+bug/1177830

Comment 3 Jan Lieskovsky 2013-05-16 12:55:50 UTC
Public via:
  http://www.openwall.com/lists/oss-security/2013/05/16/7

Comment 4 Jan Lieskovsky 2013-05-16 13:30:21 UTC
This issue did NOT affect the version of the openstack-nova package, as shipped with Fedora release of 17.

--

This issue affects the version of the openstack-nova package, as shipped with Fedora release of 18. Please schedule an update.

--

This issue affects the version of the openstack-nova package, as shipped with Fedora EPEL-6. Please schedule an update.

Comment 5 Jan Lieskovsky 2013-05-16 13:31:46 UTC
Created openstack-nova tracking bugs for this issue

Affects: fedora-18 [bug 963727]
Affects: epel-6 [bug 963728]

Comment 6 Kurt Seifried 2013-06-10 19:23:46 UTC
This issue has been addressed in following products:

  Red Hat OpenStack 3.0 Snap 1

Via RHBA-2013-0878 https://rhn.redhat.com/errata/RHBA-2013-0878.html

Comment 7 Kurt Seifried 2013-07-04 06:54:22 UTC
Statement:

The Red Hat Security Response Team has rated this issue as having moderate security impact. This issue is not currently planned to be addressed in OpenStack 2.1 (Folsom). This issue is planned to be addressed in version OpenStack 3.0 (Grizzly). For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.