Bug 918784 (CVE-2014-9684) - VUL-0: CVE-2014-9684, CVE-2015-1881: openstack-glance: Authenticated attacker may accumulate untracked image data, possible denial of service
Summary: VUL-0: CVE-2014-9684, CVE-2015-1881: openstack-glance: Authenticated attacker...
Status: RESOLVED FIXED
Alias: CVE-2014-9684
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Bernhard Wiedemann
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/114107/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-20 09:30 UTC by Johannes Segitz
Modified: 2015-09-09 09:10 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2015-02-20 09:30:00 UTC 
Title: Glance import task leaks image in backend
Reporter: Abhishek Kekane (NTT)
Products: Glance
Affects: 2014.2 versions through 2014.2.2

Description:
Abhishek Kekane from NTT reported a vulnerability in the Glance import task.
By creating numerous images using the task API and deleting them, an
authenticated attacker may accumulate untracked image data in the backend
resulting in potential resource exhaustion and denial of service. All glance
setups using API v2 are affected.

CVE-2014-9684
https://review.openstack.org/#/c/122427/
Sep 18, 2014 ... an exception is raised and is not handled ...
the uploaded image file stays in a storage and clogs it

CVE-2015-1881
https://review.openstack.org/#/c/156553
Feb 17, 2015 ... Import task does not update the location
of the image ... Image data remains in backend for
deleted image

Looks like we're not affected but please check

References:
https://launchpad.net/bugs/1420696
https://launchpad.net/bugs/1422716
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9684
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1881
http://seclists.org/oss-sec/2015/q1/603
Comment 1 Vincent Untz 2015-02-20 10:14:59 UTC 
(In reply to Johannes Segitz from comment #0)
> Title: Glance import task leaks image in backend
> Reporter: Abhishek Kekane (NTT)
> Products: Glance
> Affects: 2014.2 versions through 2014.2.2
> 
> Description:
> Abhishek Kekane from NTT reported a vulnerability in the Glance import task.
> By creating numerous images using the task API and deleting them, an
> authenticated attacker may accumulate untracked image data in the backend
> resulting in potential resource exhaustion and denial of service. All glance
> setups using API v2 are affected.
> 
> CVE-2014-9684
> https://review.openstack.org/#/c/122427/
> Sep 18, 2014 ... an exception is raised and is not handled ...
> the uploaded image file stays in a storage and clogs it
> 
> CVE-2015-1881
> https://review.openstack.org/#/c/156553
> Feb 17, 2015 ... Import task does not update the location
> of the image ... Image data remains in backend for
> deleted image
> 
> Looks like we're not affected but please check

This only impacts Cloud 5; second issue is already fixed in our code. First issue is being backported upstream:
 https://review.openstack.org/#/c/157067/
Comment 2 Vincent Untz 2015-02-20 11:35:14 UTC 
(In reply to Vincent Untz from comment #1)
> This only impacts Cloud 5; second issue is already fixed in our code. First
> issue is being backported upstream:
>  https://review.openstack.org/#/c/157067/

For the record, the current backport is broken it seems (upstream CI fails). So waiting for an update there.
Comment 3 Vincent Untz 2015-02-20 12:05:41 UTC 
Security team: do you want to have the fix for the first issue as part of SUSE Cloud 5 GM, or is an update fine?
Comment 4 Vincent Untz 2015-02-20 12:07:47 UTC 
(In reply to Vincent Untz from comment #3)
> Security team: do you want to have the fix for the first issue as part of
> SUSE Cloud 5 GM, or is an update fine?

Sorry, forgot to explain the background: we're about to release our GMC2, and this should really be close to our GM. So it's likely that a fix for this bug would have to come as an update. If this is not okay with you, I can try to make people focus on this backport earlier.
Comment 5 Johannes Segitz 2015-02-20 12:11:19 UTC 
(In reply to Vincent Untz from comment #4)
Having this as an update is fine, it's not that severe.
Comment 6 Swamp Workflow Management 2015-02-20 23:00:25 UTC 
bugbot adjusting priority
Comment 7 Bernhard Wiedemann 2015-03-02 12:43:29 UTC 
added bnc+CVE refs to Juno+Master
Comment 8 Marcus Meissner 2015-09-09 08:53:31 UTC 
released
Comment 9 Swamp Workflow Management 2015-09-09 09:10:53 UTC 
SUSE-SU-2015:1515-1: An update that contains security fixes can now be installed.

Category: security (low)
Bug References: 918784,920573,926596,928718,930574,931204,935892
CVE References: 
Sources used:
SUSE OpenStack Cloud 5 (src):    openstack-ceilometer-2014.2.4.dev18-9.7, openstack-ceilometer-doc-2014.2.4.dev18-9.11, openstack-cinder-2014.2.4.dev19-9.7, openstack-cinder-doc-2014.2.4.dev19-9.12, openstack-glance-2014.2.4.dev5-9.5, openstack-glance-doc-2014.2.4.dev5-9.7, openstack-heat-2014.2.4.dev13-9.6, openstack-heat-doc-2014.2.4.dev13-9.8, openstack-keystone-2014.2.4.dev5-11.8, openstack-keystone-doc-2014.2.4.dev5-11.12, openstack-sahara-2014.2.4.dev3-9.5, openstack-sahara-doc-2014.2.4.dev3-9.5, openstack-suse-2014.2-9.2, python-oslo.i18n-1.3.1-9.6, python-oslo.utils-1.4.0-14.2, python-oslotest-1.2.0-2.5, python-six-1.9.0-9.2