IBM Support

Security Bulletin: OpenStack vulnerabilities affect IBM Cloud Manager with Openstack (CVE-2015-5163 CVE-2015-3241 CVE-2015-5223)

Security Bulletin


Summary

IBM Cloud Manager with Openstack is vulnerable to several Openstack vulerabilities, which allow remote attackers exploit these vulnerabilitise to obtain sensitive information or cause a denial of service.

Vulnerability Details

CVEID: CVE-2015-3241
DESCRIPTION:
OpenStack Nova is vulnerable to a denial of service, caused by an error in the migration process. By resizing and deleting an instance repeatedly, a remote authenticated attacker could exploit this vulnerability to overload Nova computes node.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105880 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-5223
DESCRIPTION:
OpenStack Swift could allow a remote attacker to obtain sensitive information, caused by an error involving tempurls. An attacker with a tempurl key authorized for PUT could exploit this vulnerability to obtain other objects in the same Swift account.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105906 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2015-5163
DESCRIPTION:
OpenStack Glance could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to specify a format and the use of format auto-detection. By importing an image convert using a qcow2 backing file, an attacker could exploit this vulnerability to read arbitrary files on the Glance server.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105608 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Cloud Manager with OpenStack 4.1.0 through 4.1.0.5
IBM Cloud Manager with OpenStack 4.2.0 through 4.2.0.3 interim fix 4
IBM Cloud Manager with OpenStack 4.3.0 through 4.3.0.4 interim fix 1

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

March 14, 2016: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SST55W","label":"IBM Cloud Manager with OpenStack"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"4.1.0;4.2.0;4.3.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
07 August 2018

UID

isg3T1023470