IBM Support

Security Bulletin: OpenStack vulnerabilities affect IBM Cloud Manager with Openstack (CVE-2015-5163 CVE-2015-3241 CVE-2015-5223)

Security Bulletin


Summary

IBM Cloud Manager with Openstack is vulnerable to several Openstack vulerabilities, which allow remote attackers exploit these vulnerabilitise to obtain sensitive information or cause a denial of service.

Vulnerability Details

CVEID: CVE-2015-3241
DESCRIPTION:
OpenStack Nova is vulnerable to a denial of service, caused by an error in the migration process. By resizing and deleting an instance repeatedly, a remote authenticated attacker could exploit this vulnerability to overload Nova computes node.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105880 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-5223
DESCRIPTION:
OpenStack Swift could allow a remote attacker to obtain sensitive information, caused by an error involving tempurls. An attacker with a tempurl key authorized for PUT could exploit this vulnerability to obtain other objects in the same Swift account.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105906 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2015-5163
DESCRIPTION:
OpenStack Glance could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to specify a format and the use of format auto-detection. By importing an image convert using a qcow2 backing file, an attacker could exploit this vulnerability to read arbitrary files on the Glance server.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105608 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Cloud Manager with OpenStack 4.1.0 through 4.1.0.5
IBM Cloud Manager with OpenStack 4.2.0 through 4.2.0.3 interim fix 4
IBM Cloud Manager with OpenStack 4.3.0 through 4.3.0.4 interim fix 1

Remediation/Fixes

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Related information

Change History

March 14, 2016: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: Cloud Manager with Openstack

Software version: 4.1.0, 4.2.0, 4.3.0

Operating system(s): Linux

Reference #: T1023470

Modified date: 17 March 2016