[oss-security] [OSSA 2014-017] Nova VMWare driver leaks rescued images (CVE-2014-2573)

Type securityvulns
Reporter Securityvulns
Modified 2014-06-19T00:00:00


OpenStack Security Advisory: 2014-017 CVE: CVE-2014-2573 Date: May 29, 2014 Title: Nova VMWare driver leaks rescued images Reporter: Jaroslav Henner (Red Hat) Products: Nova Versions: from 2013.2 to 2013.2.3, and 2014.1

Description: Jaroslav Henner from Red Hat reported a vulnerability in Nova. By requesting Nova place an image into rescue, then deleting the image, an authenticated user my exceed their quota. This can result in a denial of service via excessive resource consumption. Only setups using the Nova VMWare driver are affected.

Juno (development branch) fix: https://review.openstack.org/75788 https://review.openstack.org/80284

Icehouse fix: https://review.openstack.org/88514 https://review.openstack.org/89217

Havana fix: https://review.openstack.org/89762 https://review.openstack.org/89768

Notes: This fix will be included in the juno-1 development milestone and in future 2013.2.4 and 2014.1.1 releases.

References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2573 https://launchpad.net/bugs/1269418

-- Jeremy Stanley OpenStack Vulnerability Management Team