CVE-2014-5356 — OpenStack Glance improper validation of the image_size_cap configuration option

Description

OpenStack Image Registry and Delivery Service (Glance) before 2013.2.4, 2014.x before 2014.1.3, and Juno before Juno-3, when using the V2 API, does not properly enforce the image_size_cap configuration option, which allows remote authenticated users to cause a denial of service (disk consumption) by uploading a large image.

How to fix CVE-2014-5356

To remediate CVE-2014-5356, upgrade the affected package to a fixed version below.

Debian/glance—upgrade to 2014.1.3-1 or later
—upgrade to 11.0.0a0 or later

Is CVE-2014-5356 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2014.1.3-1
from 0, < 11.0.0a0

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-5356
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-5356
PATCHgithub.com/openstack/glance
WEBrhn.redhat.com/errata/RHSA-2014-1337.html
WEB