[openstack-announce] [OSSA 2013-026] Potential denial of service on Nova when using Qpid (CVE-2013-4261)

Thierry Carrez thierry at openstack.org
Thu Sep 12 15:19:59 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-026
CVE: CVE-2013-4261
Date: September 12, 2013
Title: Potential denial of service on Nova when using Qpid
Reporter: Jaroslav Henner (Red Hat)
Products: Nova
Affects: Folsom, Grizzly

Description:
Jaroslav Henner from Red Hat reported a vulnerability in Nova when using
Apache Qpid as the RPC backend. By sending any random text longer than
65K characters to an instance console and requesting the console log
contents through the API, an authenticated user may disrupt the
nova-compute node his instance is running on. This vulnerability could
be leveraged in a Denial of Service attack against the cloud provider.
Only Folsom and Grizzly setups using Qpid as their RPC backend are
affected. Havana setups, or setups using other RPC backends (like
RabbitMQ), are all unaffected.

Grizzly fix:
https://review.openstack.org/#/c/43303/

Folsom fix:
https://review.openstack.org/#/c/45426/

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4261
https://bugs.launchpad.net/nova/+bug/1215091

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJSMducAAoJEFB6+JAlsQQjYqUP/1ebNaaz+k3DxiRfoNpsbRkV
EKJtD/W/6/UkCYUzPNGGZSl1ijp9CEQXh6IL82lTBw82nTbsHc3mt22FgusdU6WZ
JH6PevC95PlyNWQYsUGO5GzQ6lb28VjzgYUt36Z2ZatQ4lUGJHv9iZcsIBVYayJy
OKPnnt2ztiG62B88Ka1GQx4iyEtU50QCcpZEbWHcX5dIXWfWWfYNEMVU+gIfaxlo
sVZH+up2ERKVDH7l/JzhvD4ut1zAoM0sp29/GROJLmzh1dqd9P+QIh5WO4e6VLZp
5y90uMZ03O1lN16IZE0B3r9JBc9ekn7JhJ5YXBvwM+Z3Am1ZlDjUL1ojiZ2aBT9B
RnPF/oz4CsuGXjghg0mzPrjJuwR/Z46pg1t92FbVXW94Fxx7VfORLF6ELaDoqoiu
nmRUpDQxpg+dYw7OS9lQF10eC2M6S0EwKWzlQlloZGR5/kG9VR4fyhLE1w8+YrRF
Gr8pDaF6MJoxZxxb4rRhaDsPaXuUX/QPr0GsMeCy6vfV+yX/Yk99YJoNtar7Z7I+
llslcbaet3C2sONR2EbCD2J03E8/3VztdkG32iVGwxn0LHh2K1o+wfno73w1PW4u
DV4LIvbypZgmMEbVzHDkDGs1jOfSzFzDhIsCtgEih53rr2HIsd8AmkWeTPirpXN6
EOmohe9HXVlvPUPcVJNd
=zUsw
-----END PGP SIGNATURE-----



More information about the OpenStack-announce mailing list