Bug 869565 (CVE-2014-2573) - VUL-0: CVE-2014-2573: openstack-nova: Nova VMWare driver leaks rescued images
Summary: VUL-0: CVE-2014-2573: openstack-nova: Nova VMWare driver leaks rescued images
Status: RESOLVED FIXED
Alias: CVE-2014-2573
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/97170/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-21 06:44 UTC by Marcus Meissner
Modified: 2016-04-27 19:29 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-03-21 06:44:15 UTC 
via oss-sec

CVE-2014-2573

CVE request for vulnerability in OpenStack Nova

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although
an advisory was not sent yet.

Title: Nova VMWare driver leaks rescued images
Reporter: Jaroslav Henner (Red Hat)
Products: Nova
Versions: 2013.2 to 2013.2.2

Description:
Jaroslav Henner from Red Hat reported a vulnerability in Nova. By
requesting Nova place an image into rescue, then deleting
the image, an authenticated user my exceed their quota. This can
result in a denial of service via excessive resource consumption. Only
setups using the Nova VMWare driver are affected.

References:
https://bugs.launchpad.net/nova/+bug/1269418
http://comments.gmane.org/gmane.comp.security.oss.general/12417
Comment 1 Swamp Workflow Management 2014-03-21 23:00:21 UTC 
bugbot adjusting priority
Comment 4 SMASH SMASH 2014-03-25 12:55:13 UTC 
Affected packages:

SLE-11-SP3-PRODUCTS: openstack-nova
SLE-11-SP3: openstack-nova
SLE-11-SP2-PRODUCTS: openstack-nova
Comment 5 Nanuk Krinner 2014-06-17 08:35:03 UTC 
Fix is in https://build.suse.de/package/show/Devel:Cloud:3/openstack-nova
Comment 6 Nanuk Krinner 2014-06-17 09:04:11 UTC 
Release is already scheduled for the next update.
Comment 7 Vincent Untz 2014-08-19 07:29:15 UTC 
For the record, this is already submitted as part of https://swamp.suse.de/webswamp/swamp/template/DisplayWorkflow.vm/workflowid/58463
Comment 8 Johannes Segitz 2015-03-11 15:14:03 UTC 
fixed in cloud 3, others not affected