I'm resurrecting Grant's proposed impact description from comment #28
and updating for the year of time which has passed since. I've also
edited it to remove references to Cinder and Glance... are those
effectively still impacted in any supported branches? I see that the
tasks API in Glance becoming admin-only in Mitaka results in this being
impractical there, but what about for Liberty? And there's little input
from Cinder on this bug at all but the claim is that it's exploitable
there as well. Is that still the case today?


Title: Malicious input to qemu-img may result in resource exhaustion
Reporter: Richard W.M. Jones
Product: Nova
Affects: <=12.0.4, ==13.0.0

Richard W.M. Jones of Red Hat reported a vulnerability that affects OpenStack
Nova. By providing a maliciously crafted disk image an attacker can consume
considerable amounts of RAM and CPU time resulting in a denial of service via
resource exhaustion. Any project which makes calls to qemu-img without
appropriate ulimit restrictions in place is affected by this flaw.

You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

  qemu-img calls need to be restricted by ulimit (CVE-2015-5162)

To manage notifications about this bug go to:

ubuntu-bugs mailing list

Reply via email to