Key Information Vulnerability ID: OSSA-2015-017 Summary: Nova may fail to delete an image during resize operations Date: September 1, 2015 CVE ID: CVE-2015-3280 Affected Components Nova: Versions from 2014.2 to 2014.2.3, and from 2015.1 to 2015.1.1 Detailed Description George Shuklin (from Webzilla LTD) and Tushar Patil (from NTT DATA) independently reported a security vulnerability in Nova related to resize operations. If an authenticated user deletes an instance while it is in the resize state, the original instance may not be properly removed from the compute node running it. Attackers could exploit this to launch a denial-of-service attack. All Nova configurations are affected. Patches Juno release: https://review.openstack.org/219301 Kilo release: https://review.openstack.org/219300 Liberty release: https://review.openstack.org/219299 Acknowledgments George Shuklin (Webzilla LTD) (CVE-2015-3280) Tushar Patil (NTT Data) (CVE-2015-3280) References https://launchpad.net/bugs/1392527 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3280 Notes This fix will be included in future releases 2014.2.4 (Juno) and 2015.1.2 (Kilo).