OpenStack Security Advisory: 2013-020 CVE: CVE-2013-4185 Date: August 6, 2013 Title: Denial of Service in Nova network source security groups Reporter: Vishvananda Ishaya (Nebula) Products: Nova Affects: All versions Description: Vishvananda Ishaya from Nebula reported a denial of service vulnerability in Nova's handling of network source security group policy updates. By performing a large number of server creation operations, the proportion of updates increases quadratically and may overwhelm nova-network such that it is no longer able to service other requests in a timely fashion. Only setups relying on nova-network are affected. Havana (development branch) fix: https://review.openstack.org/39541 Grizzly fix: https://review.openstack.org/39543 Folsom fix: https://review.openstack.org/39544 Notes: This fix will be included in the havana-3 development milestone and in a future 2013.1.3 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4185 https://bugs.launchpad.net/nova/+bug/1184041 -- Jeremy Stanley OpenStack Vulnerability Management Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 966 bytes Desc: Digital signature URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20130806/58dc4e51/attachment.pgp>