Bug 1378661 (CVE-2016-7498) - CVE-2016-7498 openstack-nova: May fail to delete images in resize state regression
Summary: CVE-2016-7498 openstack-nova: May fail to delete images in resize state regre...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-7498
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1378664
TreeView+ depends on / blocked
 
Reported: 2016-09-23 02:46 UTC by Summer Long
Modified: 2019-09-29 13:57 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-23 03:41:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Summer Long 2016-09-23 02:46:14 UTC 
If an authenticated user deletes an instance while it is in resize state, it
will cause the original instance to not be deleted from the compute
node it was running on. An attacker can use this to launch a denial of
service attack. All Nova setups are affected.

Affects 
~~~~~~~ 
- Nova: ==13.0.0 

Patches
~~~~~~~
- https://review.openstack.org/327398 (Mitaka)
- https://review.openstack.org/326262 (Newton)


Credits
~~~~~~~
- Rajesh Tailor from Red Hat (CVE-2016-7498)


References
~~~~~~~~~~
- https://bugs.launchpad.net/bugs/1589821
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7498
Notes
~~~~~
- This bug is similar to OSSA-2015-017 (CVE-2015-3280) and was
  re-introduced in the first release of Mitaka version of Nova and it
  was re-fixed in nova-13.1.0.
Comment 1 Summer Long 2016-09-23 03:27:02 UTC 
Statement: This issue only affects version 13.0.0 of openstack-nova, and does not impact any currently released version of Red Hat OpenStack Platform or Red Hat Enterprise Linux OpenStack Platform.
Note You need to log in before you can comment on or make changes to this bug.