oss-sec mailing list archives
[OSSA 2014-028] Glance store DoS through disk space exhaustion (CVE-2014-5356)
From: Tristan Cacqueray <tristan.cacqueray () enovance com>
Date: Thu, 21 Aug 2014 10:09:20 -0400
OpenStack Security Advisory: 2014-028 CVE: CVE-2014-5356 Date: August 21, 2014 Title: Glance store DoS through disk space exhaustion Reporter: Thomas Leaman (HP), Stuart McLaren (HP) Products: Glance Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2 Description: Thomas Leaman and Stuart McLaren from Hewlett Packard reported a vulnerability in Glance. By uploading a large enough image to a Glance store, an authenticated user may fill the store space because the image_size_cap configuration option is not honored. This may prevent further image upload and/or cause service disruption. Note that the import method is not affected. All Glance setups using API v2 are affected (unless you use a policy to restrict/disable image upload). Juno (development branch) fix: https://review.openstack.org/91764 Icehouse fix: https://review.openstack.org/115280 Havana fix: https://review.openstack.org/115289 Notes: This fix will be included in the Juno-3 development milestone and in future 2013.2.4 and 2014.1.3 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5356 https://launchpad.net/bugs/1315321 -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [OSSA 2014-028] Glance store DoS through disk space exhaustion (CVE-2014-5356) Tristan Cacqueray (Aug 21)