Bugzilla – Bug 938349
VUL-0: CVE-2015-3289: openstack-glance: Glance task flow may fail to delete image from backend
Last modified: 2015-10-01 13:22:59 UTC
EMBARGOED CRD: 2015-07-28 15:00UTC This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Title: Glance task flow may fail to delete image from backend Reporter: Abhishek Kekane (NTT) Products: Glance Affects: 2015.1.0 Description: Abhishek Kekane from NTT reported a vulnerability in Glance. By creating numerous images using the import task flow API and deleting them, an authenticated attacker may accumulate untracked image data in the backend resulting in potential resource exhaustion and denial of service. All glance setups are affected. Proposed fix: Fixes for this vulnerability have already been merged via these reviews: master - https://review.openstack.org/#/c/181345/ kilo - https://review.openstack.org/#/c/181816/ CVE: CVE-2015-3289 Proposed public disclosure date/time: 2015-07-28, 1500UTC Please do not make this issue public before the coordinated embargo date. Regards, -- Grant Murphy OpenStack Vulnerability Management Team References: https://bugs.launchpad.net/glance/+bug/1453068 https://review.openstack.org/#/c/181345/ https://review.openstack.org/#/c/181816/
bugbot adjusting priority
By version and glancing at the code. I see SLE / Cloud not affected, making this an openSUSE bug. Dear maintainer if you know otherwise let me know. Please note the embargo, do not build on OBS until it is lifted.
public, please submit for openSUSE
I wonder if any one is actually reading cloud-bugs@suse.de Fixed now in OBS: Cloud:OpenStack:Master/openstack-glance Cloud:OpenStack:Liberty/openstack-glance Cloud:OpenStack:Kilo/openstack-glance Cloud:OpenStack:Kilo:Staging/openstack-glance