[openstack-announce] [OSSA 2013-024] Resource limit circumvention in Nova private flavors (CVE-2013-4278)

Thierry Carrez thierry at openstack.org
Wed Aug 28 13:11:11 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-024
CVE: CVE-2013-4278
Date: August 28, 2013
Title: Resource limit circumvention in Nova private flavors
Reporter: Ken'ichi Ohmichi (NEC)
Products: Nova
Affects: All versions

Description:
Ken'ichi Ohmichi from NEC reported that the fix for OSSA 2013-019
(CVE-2013-2256) was incomplete. Any tenant was still able to boot any
other tenant's private flavors by guessing a flavor ID. This potentially
allowed circumvention of any resource limits enforced through the
os-flavor-access:is_public property.

Havana (development branch) fix:
https://review.openstack.org/#/c/42922/

Grizzly fix:
https://review.openstack.org/#/c/43281/

Folsom fix:
https://review.openstack.org/#/c/43296/

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4278
https://bugs.launchpad.net/nova/+bug/1212179

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIbBAEBCAAGBQJSHfbsAAoJEFB6+JAlsQQjPUkP9i/41IQPecZ/1V7nsQLPWssp
AUgP5tEwEUGVNGaMM6ptaQtQxrLD+aACi7z8zRZgJopHrDptbIckbRikeSxrzsLB
eWQxynkFPhcjRQTFZOuoEwDdqYUFCr614uGUmCFomYTBIWEZS3ea5aN7PAO4fd62
6hsOHr6xcj7JcZY1GlVNZBcpWel9rvxcXroPrPqmecyDdSPCuiWj8QNiWQ8Y62Vy
ZSOzHjyAWe32sqMSYp3zygdhpX1yacTVf76jDNw+FcLHkqFf4kRX7uJCCPFKNpIk
2nngSjWZEizIkinIc+mzt2vFKt7JMjCJsy7uLKIp9HsJzVN8qH0x6axe3nuMoliC
xdzybOzlCfEOU+L1q0fVVAiuTnXqE562mnm7HchHiUpKHJRv+4hWwukOsy2Wv+aD
TweNziKwmxYdakhEduql4BJ1/6Mqk+1014Q/uOAyO8iKra8JO9i/ZULvuJgQNIao
oXdFCJoKItP+UouaZ4PrRwilwWgVu4rsRWL1STcHgnHorFrCJQ0iO/W9ofn+ft4z
R2q3tBpJDaeorM2D/Q2VkzYvUzAEAa+BCh1CRxMCVIMh6VmSv40TzczmgrdSRUVj
7cKaxc0xiLiPOoYorWuL0A7RPkadOMk9SihmakX70UR5NyfoqdOoAYnl8xcKNaD8
MlxVcQfdPQMWbw6UltQ=
=DGPB
-----END PGP SIGNATURE-----



More information about the OpenStack-announce mailing list