Bug 1154951 (CVE-2014-3708)

Summary: CVE-2014-3708 openstack-nova: Nova network denial of service through API filtering
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, berrange, chrisw, dallan, dasmith, gkotton, gmollett, jrusnack, lhh, lpeer, markmc, ndipanov, pbrady, rbryant, sbauza, sclewis, security-response-team, sferdjao, sgordon, vromanso, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way OpenStack Compute (nova) looked up VM instances based on an IP address filter. An attacker with sufficient privileges on an OpenStack installation with a large amount of VMs could use this flaw to cause the main nova process to block for an extended amount of time.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-19 07:05:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1158307, 1158308, 1196564, 1196565    
Bug Blocks: 1154952, 1194087    
Attachments:
Description Flags
icehouse patch from upstream
none
juno patch from upstream none

Description Murray McAllister 2014-10-21 06:29:11 UTC 
The OpenStack project reports:

""
Title: Nova network DoS through API filtering
Reporter: Mohammed Naser (Vexxhost)
Products: Nova
Versions: up to 2014.1.2

Description:
Mohammed Naser from Vexxhost reported a vulnerability in Nova API
filters. By listing active servers using an ip filter, an authenticated
user may overload nova-network or neutron-server process, resulting in a
denial of services. All Nova setups are affected.
""

Acknowledgements:

Red Hat would like to thank the OpenStack Project for reporting this issue. Upstream acknowledges Mohammed Naser from Vexxhost as the original reporter.
Comment 3 Murray McAllister 2014-10-23 03:42:42 UTC 
Created attachment 949631 [details]
icehouse patch from upstream
Comment 4 Murray McAllister 2014-10-23 03:43:16 UTC 
Created attachment 949632 [details]
juno patch from upstream
Comment 5 Murray McAllister 2014-10-29 04:35:56 UTC 
This issue is public now:

http://seclists.org/oss-sec/2014/q4/458
Comment 7 Murray McAllister 2014-10-29 04:38:00 UTC 
Created openstack-nova tracking bugs for this issue:

Affects: fedora-all [bug 1158307]
Comment 13 errata-xmlrpc 2015-04-16 14:33:16 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:0844 https://rhn.redhat.com/errata/RHSA-2015-0844.html
Comment 14 errata-xmlrpc 2015-04-16 14:34:57 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:0843 https://rhn.redhat.com/errata/RHSA-2015-0843.html