-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
OpenStack Security Advisory: 2013-024 CVE: CVE-2013-4278 Date: August 28, 2013 Title: Resource limit circumvention in Nova private flavors Reporter: Ken'ichi Ohmichi (NEC) Products: Nova Affects: All versions
Description: Ken'ichi Ohmichi from NEC reported that the fix for OSSA 2013-019 (CVE-2013-2256) was incomplete. Any tenant was still able to boot any other tenant's private flavors by guessing a flavor ID. This potentially allowed circumvention of any resource limits enforced through the os-flavor-access:is_public property.
Havana (development branch) fix: https://review.openstack.org/#/c/42922/
Grizzly fix: https://review.openstack.org/#/c/43281/
Folsom fix: https://review.openstack.org/#/c/43296/
References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4278 https://bugs.launchpad.net/nova/+bug/1212179
Regards,
- -- Thierry Carrez OpenStack Vulnerability Management Team