Bug 813768 (CVE-2012-2101)

Summary: CVE-2012-2101 openstack-nova: No quota enforced on security group rules
Product: [Other] Security Response Reporter: Pádraig Brady <pbrady>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alexander.sakhnov, bfilippov, breu, d.busby, jlieskov, jonathansteffan, markmc, matt_domsch, mlvov, p, rbryant, rkukura, security-response-team
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-28 07:05:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 814275, 814361, 814362    
Bug Blocks:    
Attachments:
Description Flags
proposed fix none

Description Pádraig Brady 2012-04-18 11:49:53 UTC 
Created attachment 578328 [details]
proposed fix

This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Title: No quota enforced on security group rules
Impact: High
Reporter: Dan Prince <dprince>
Products: Nova
Affects: All versions

Description:
Dan Prince reported a vulnerability in Nova. He discovered that there
was no limit on the number of security group rules a user can create.
By creating a very large set of rules, an unreasonable number of
iptables rules will be created on compute nodes, resulting in a denial
of service.

Proposed patch:
See attached diff. This proposed patch will be merged to the Nova
master, stable/essex, and stable/diablo branches on public disclosure
date.

Proposed public disclosure date/time:
Thursday, April 19th, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.
Comment 2 Jan Lieskovsky 2012-04-19 16:52:54 UTC 
This issue affects the version of the openstack-nova package, as shipped with Fedora release of 16. Please schedule an update.

--

This issue affects the version of the openstack-nova package, as shipped with Fedora EPEL 6. Please schedule an update.
Comment 3 Jan Lieskovsky 2012-04-19 16:56:18 UTC 
Created openstack-nova tracking bugs for this issue

Affects: fedora-16 [bug 814361]
Affects: epel-6 [bug 814362]