[openstack-announce] [OSSA 2013-020] Denial of Service in Nova network source security groups (CVE-2013-4185)

Jeremy Stanley jeremy at openstack.org
Tue Aug 6 15:04:43 UTC 2013


OpenStack Security Advisory: 2013-020
CVE: CVE-2013-4185
Date: August 6, 2013
Title: Denial of Service in Nova network source security groups
Reporter: Vishvananda Ishaya (Nebula)
Products: Nova
Affects: All versions

Description:
Vishvananda Ishaya from Nebula reported a denial of service
vulnerability in Nova's handling of network source security group
policy updates. By performing a large number of server creation
operations, the proportion of updates increases quadratically and
may overwhelm nova-network such that it is no longer able to service
other requests in a timely fashion. Only setups relying on
nova-network are affected.

Havana (development branch) fix:
https://review.openstack.org/39541

Grizzly fix:
https://review.openstack.org/39543

Folsom fix:
https://review.openstack.org/39544

Notes:
This fix will be included in the havana-3 development milestone and
in a future 2013.1.3 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4185
https://bugs.launchpad.net/nova/+bug/1184041

-- 
Jeremy Stanley
OpenStack Vulnerability Management Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20130806/58dc4e51/attachment.pgp>


More information about the OpenStack-announce mailing list