OpenStack Security Advisory: 2014-017 CVE: CVE-2014-2573 Date: May 29, 2014 Title: Nova VMWare driver leaks rescued images Reporter: Jaroslav Henner (Red Hat) Products: Nova Versions: from 2013.2 to 2013.2.3, and 2014.1
Description: Jaroslav Henner from Red Hat reported a vulnerability in Nova. By requesting Nova place an image into rescue, then deleting the image, an authenticated user my exceed their quota. This can result in a denial of service via excessive resource consumption. Only setups using the Nova VMWare driver are affected.
Juno (development branch) fix: https://review.openstack.org/75788 https://review.openstack.org/80284
Icehouse fix: https://review.openstack.org/88514 https://review.openstack.org/89217
Havana fix: https://review.openstack.org/89762 https://review.openstack.org/89768
Notes: This fix will be included in the juno-1 development milestone and in future 2013.2.4 and 2014.1.1 releases.
References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2573 https://launchpad.net/bugs/1269418
-- Jeremy Stanley OpenStack Vulnerability Management Team