Following vulnerability has been reported in Openstack Glance: Title: Glance import task leaks image in backend Reporter: Abhishek Kekane (NTT) Products: Glance Affects: 2014.2 versions through 2014.2.2 Description: Abhishek Kekane from NTT reported a vulnerability in the Glance import task. By creating numerous images using the task API and deleting them, an authenticated attacker may accumulate untracked image data in the backend resulting in potential resource exhaustion and denial of service. All glance setups using API v2 are affected. References: https://launchpad.net/bugs/1420696 https://launchpad.net/bugs/1422716 2 CVEs were assigned to this issue: http://seclists.org/oss-sec/2015/q1/603
Created openstack-glance tracking bugs for this issue: Affects: openstack-rdo [bug 1197578]
Created attachment 998154 [details] CVE-2015-1881 Juno Patch
Created attachment 998155 [details] CVE-2014-9684 Juno Patch
This issue has been addressed in the following products: OpenStack 6 for RHEL 7 Via RHSA-2015:0938 https://rhn.redhat.com/errata/RHSA-2015-0938.html