1194697 – (CVE-2014-9684, CVE-2015-1881) CVE-2014-9684 CVE-2015-1881 openstack-glance: potential resource exhaustion and denial of service using images manipulation API

Bug 1194697 (CVE-2014-9684, CVE-2015-1881) - CVE-2014-9684 CVE-2015-1881 openstack-glance: potential resource exhaustion and denial of service using images manipulation API

Summary: CVE-2014-9684 CVE-2015-1881 openstack-glance: potential resource exhaustion a...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-9684, CVE-2015-1881
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1197578 1215919
Blocks:	1194702
TreeView+	depends on / blocked

Reported:	2015-02-20 14:55 UTC by Vasyl Kaigorodov
Modified:	2021-02-17 05:38 UTC (History)
CC List:	27 users (show)
Fixed In Version:	openstack-glance 2014.2.3
Doc Type:	Bug Fix
Doc Text:	Multiple flaws were found in the glance task API that could cause untracked image data to be left in the back end. A malicious user could use these flaws to deliberately accumulate untracked image data, and cause a denial of service via resource exhaustion.
Clone Of:
Environment:
Last Closed:	2019-06-08 02:38:58 UTC
Embargoed:

Attachments	(Terms of Use)
CVE-2015-1881 Juno Patch (4.20 KB, patch) 2015-03-05 04:40 UTC, Garth Mollett	no flags	Details \| Diff
CVE-2014-9684 Juno Patch (3.68 KB, patch) 2015-03-05 04:42 UTC, Garth Mollett	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0938	0	normal	SHIPPED_LIVE	Moderate: openstack-glance security and bug fix update	2015-05-05 17:08:26 UTC

Description Vasyl Kaigorodov 2015-02-20 14:55:53 UTC

Following vulnerability has been reported in Openstack Glance:

Title: Glance import task leaks image in backend
Reporter: Abhishek Kekane (NTT)
Products: Glance
Affects: 2014.2 versions through 2014.2.2

Description:
Abhishek Kekane from NTT reported a vulnerability in the Glance import task.
By creating numerous images using the task API and deleting them, an
authenticated attacker may accumulate untracked image data in the backend
resulting in potential resource exhaustion and denial of service. All glance
setups using API v2 are affected.

References:
https://launchpad.net/bugs/1420696
https://launchpad.net/bugs/1422716

2 CVEs were assigned to this issue: http://seclists.org/oss-sec/2015/q1/603

Comment 1 Garth Mollett 2015-03-02 05:47:15 UTC

Created openstack-glance tracking bugs for this issue:

Affects: openstack-rdo [bug 1197578]

Comment 4 Garth Mollett 2015-03-05 04:40:36 UTC

Created attachment 998154 [details]
CVE-2015-1881 Juno Patch

Comment 5 Garth Mollett 2015-03-05 04:42:16 UTC

Created attachment 998155 [details]
CVE-2014-9684 Juno Patch

Comment 7 errata-xmlrpc 2015-05-05 13:09:04 UTC

This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:0938 https://rhn.redhat.com/errata/RHSA-2015-0938.html

Note You need to log in before you can comment on or make changes to this bug.

abaron
akscram
alexander.sakhnov
apevec
ayoung
bfilippov
chrisw
dallan
eglynn
gkotton
gmollett
itamar
jobernar
jonathansteffan
jose.castro.leon
karlthered
lhh
lpeer
markmc
mlvov
mmagr
nsantos
p
rbryant
rk
sclewis
srevivo