A vulnerability in Heat template validation was reported. By referencing a local file like /dev/zero, an authenticated user may trick the heat engine service to load arbitrary local file content resulting in a Denial of Service attack through memory exhaustion. Note that the file content is not written back to the user, though the user can determine if a file exists and if it is readable by heat-engine. Affects versions <=2015.1.2, ==5.0.0. All Heat setups are affected.
Created attachment 1114470 [details] Master/mitaka patch
Created attachment 1114471 [details] Stable/kilo patch
Created attachment 1114472 [details] Stable/liberty patch
Created attachment 1114967 [details] stable/juno patch
Created attachment 1114968 [details] stable/icehouse patch
Created openstack-heat tracking bugs for this issue: Affects: fedora-all [bug 1300091]
openstack-heat-2015.1.2-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Acknowledgements: This issue was discovered by Steven Hardy of Red Hat.
This issue has been addressed in the following products: OpenStack 7 For RHEL 7 Via RHSA-2016:0266 https://rhn.redhat.com/errata/RHSA-2016-0266.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 Via RHSA-2016:0442 https://rhn.redhat.com/errata/RHSA-2016-0442.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 Via RHSA-2016:0441 https://rhn.redhat.com/errata/RHSA-2016-0441.html
This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 Via RHSA-2016:0440 https://rhn.redhat.com/errata/RHSA-2016-0440.html