Vulnerability Name:

CVE-2014-9684 (CCN-101196)

Assigned:2015-02-20
Published:2015-02-20
Updated:2017-01-03
Summary:OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881.
CVSS v3 Severity:3.5 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-399
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2014-9684

Source: MLIST
Type: Vendor Advisory
[openstack-announce] 20150223 [OSSA 2015-004] Glance import task leaks image in backend (CVE-2014-9684, CVE-2015-1881)

Source: REDHAT
Type: UNKNOWN
RHSA-2015:0938

Source: BID
Type: UNKNOWN
72692

Source: CCN
Type: BID-72692
OpenStack Glance CVE-2014-9684 Denial of Service Vulnerability

Source: CCN
Type: OSSA 2015-004
Image file stays in store if image has been deleted during upload (CVE-2014-9684)

Source: CONFIRM
Type: Exploit
https://bugs.launchpad.net/glance/+bug/1371118

Source: CCN
Type: Red Hat Bugzilla – Bug 1194697
(CVE-2014-9684, CVE-2015-1881) CVE-2014-9684 CVE-2015-1881 openstack-glance: potential resource exhaustion and denial of service using images manipulation API

Source: XF
Type: UNKNOWN
glance-cve20159684-dos(101196)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openstack:image_registry_and_delivery_service_(glance):2014.2:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:image_registry_and_delivery_service_(glance):2014.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:openstack:image_registry_and_delivery_service_(glance):2014.2.2:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:openstack:image_registry_and_delivery_service_(glance):2014.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:55234
    P
    		Security update for cpio (Important)
    2021-08-23
    oval:org.opensuse.security:def:55917
    P
    		Security update for apache2 (Important)
    2021-06-17
    oval:org.opensuse.security:def:56476
    P
    		Security update for tcpdump (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55472
    P
    		Security update for unzip (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56202
    P
    		Security update for sssd (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55072
    P
    		ceph-common on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56514
    P
    		Security update for kernel-firmware (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55645
    P
    		Security update for vorbis-tools (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56310
    P
    		Security update for samba (Important)
    2020-12-01
    oval:org.opensuse.security:def:55094
    P
    		dosfstools on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56595
    P
    		Security update for libXcursor (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55751
    P
    		Security update for strongswan (Important)
    2020-12-01
    oval:org.opensuse.security:def:56402
    P
    		Security update for ImageMagick (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55071
    P
    		bzip2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:20149684
    V
    		CVE-2014-9684
    2020-11-28
    oval:com.ubuntu.precise:def:20149684000
    V
    		CVE-2014-9684 on Ubuntu 12.04 LTS (precise) - medium.
    2015-02-24
    oval:com.ubuntu.trusty:def:20149684000
    V
    		CVE-2014-9684 on Ubuntu 14.04 LTS (trusty) - medium.
    2015-02-24
    BACK
    openstack image registry and delivery service (glance) 2014.2
    openstack image registry and delivery service (glance) 2014.2.1
    openstack image registry and delivery service (glance) 2014.2.2
    openstack image registry and delivery service (glance) 2014.2