Mirantis OpenStack

Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova (CVE-2015-5162) (OSSA-2016-012)

Bug #1636739 reported by Adam Heczko
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
High
Rodion Tikunov
Mirantis OpenStack 9.2
7.0.x
Won't Fix
High
MOS Maintenance
Mirantis OpenStack 7.0-updates
8.0.x
Fix Released
High
MOS Maintenance
Mirantis OpenStack 8.0-updates
9.x
Fix Released
High
Rodion Tikunov
Mirantis OpenStack 9.2

Bug Description

Detailed bug description:
Richard W.M. Jones of Red Hat reported a vulnerability that affects OpenStack Cinder, Glance and Nova. By providing a maliciously crafted disk image an attacker can consume considerable amounts of RAM and CPU time resulting in a denial of service via resource exhaustion. Any project which makes calls to qemu-img without appropriate ulimit restrictions in place is affected by this flaw.

Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

Fixes are in http://www.openwall.com/lists/oss-security/2016/10/06/8
Maintenance Team, please check whether the fixes for 9.x were obtained with a sync-from-mitaka, for 8.0 with a sync-from-liberty. For 7.0 please prepare CRs.

tags: added: area-cinder area-glance area-nova
Revision history for this message
Rodion Tikunov (rtikunov) wrote :

Invalid for 9.2 as fixes have synced here.

Revision history for this message
Rodion Tikunov (rtikunov) wrote :

For 8.0 fixes have synced for nova only.
But for cinder and glance fixes have not synced yet.

Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

The fixes for 8.0 are obtained with a sync from liberty.

Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

I'm going to move this to Won't Fix for 7.0-updates because it would take a series of components to be updated to new major versions or to backport a huge portion of code to get the same functionality. Given that the "fix" doesn't avoid exploiting the vulnerability but just reduces the load on a server I would say it isn't worth efforts to backport it.

Adam Heczko (aheczko-mirantis)
Changed in mos:
status: Invalid → Fix Released
information type: Private Security → Public Security
summary: Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova
- (CVE-2015-5162)
+ (CVE-2015-5162) (OSSA-2016-012)
Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

Adam, please see the comment #5. If you have anything to add, please add, but just don't do it silently.

Revision history for this message
Adam Heczko (aheczko-mirantis) wrote :

Denis I think that you shall reconsider backporting it to Kilo. Agree that fix seems to only partially reduce denial of service risk but still it's better to have it. According to my assessment you would need to backport oslo.concurrency fix (250 LOC), https://github.com/openstack/oslo.concurrency/commit/b2e78569c5cabc9582c02aacff1ce2a5e186c3ab , Cinder fix (16 LOC), https://review.openstack.org/#/c/382573/ , Glance fix (67 LOC), https://review.openstack.org/#/c/378012/ , and Nova fix (38 LOC), https://review.openstack.org/#/c/327624/

Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

When we assessed it for the first time we found out that it would take several oslo.concurrency patches to backport. It's of course possible, if there is a demand for this (e.g. there is a customer request). Otherwise I don't see any reason to spend a lot of efforts just by patching something that nobody uses.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.