I'm resurrecting Grant's proposed impact description from comment #28 and updating for the year of time which has passed since. I've also edited it to remove references to Cinder and Glance... are those effectively still impacted in any supported branches? I see that the tasks API in Glance becoming admin-only in Mitaka results in this being impractical there, but what about for Liberty? And there's little input from Cinder on this bug at all but the claim is that it's exploitable there as well. Is that still the case today?
-- Title: Malicious input to qemu-img may result in resource exhaustion Reporter: Richard W.M. Jones Product: Nova Affects: <=12.0.4, ==13.0.0 Description: Richard W.M. Jones of Red Hat reported a vulnerability that affects OpenStack Nova. By providing a maliciously crafted disk image an attacker can consume considerable amounts of RAM and CPU time resulting in a denial of service via resource exhaustion. Any project which makes calls to qemu-img without appropriate ulimit restrictions in place is affected by this flaw. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1449062/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
