CVE-2015-3241

Published: 08 September 2015

OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote authenticated users to cause a denial of service (disk, network, and other resource consumption) by resizing and then deleting an instance.

Priority

Medium

Status

Package Release Status
nova
Launchpad, Ubuntu, Debian
Upstream
Released (2014.2.4,2015.1.2)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(2:12.0.0-0ubuntu2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1:2014.1.5-0ubuntu1.7])
Patches:
Upstream: https://review.openstack.org/208876 (Juno)
Upstream: https://review.openstack.org/214528 (Juno)
Upstream: https://review.openstack.org/213234 (Kilo)
Upstream: https://review.openstack.org/209856 (Kilo)
Upstream: https://review.openstack.org/194861 (Liberty)
Upstream: https://review.openstack.org/192986 (Liberty)

Notes

AuthorNote
mdeslaur
from announcement: "This fix requires oslo.concurrency >= 1.8.2
for Kilo and >= 2.3.0 for Liberty. Juno fix embeds a patched
version of oslo.concurrency."

References

Bugs