Created attachment 578328[details]
proposed fix
This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.
Title: No quota enforced on security group rules
Impact: High
Reporter: Dan Prince <dprince>
Products: Nova
Affects: All versions
Description:
Dan Prince reported a vulnerability in Nova. He discovered that there
was no limit on the number of security group rules a user can create.
By creating a very large set of rules, an unreasonable number of
iptables rules will be created on compute nodes, resulting in a denial
of service.
Proposed patch:
See attached diff. This proposed patch will be merged to the Nova
master, stable/essex, and stable/diablo branches on public disclosure
date.
Proposed public disclosure date/time:
Thursday, April 19th, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.
This issue affects the version of the openstack-nova package, as shipped with Fedora release of 16. Please schedule an update.
--
This issue affects the version of the openstack-nova package, as shipped with Fedora EPEL 6. Please schedule an update.
Created attachment 578328 [details] proposed fix This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Title: No quota enforced on security group rules Impact: High Reporter: Dan Prince <dprince> Products: Nova Affects: All versions Description: Dan Prince reported a vulnerability in Nova. He discovered that there was no limit on the number of security group rules a user can create. By creating a very large set of rules, an unreasonable number of iptables rules will be created on compute nodes, resulting in a denial of service. Proposed patch: See attached diff. This proposed patch will be merged to the Nova master, stable/essex, and stable/diablo branches on public disclosure date. Proposed public disclosure date/time: Thursday, April 19th, 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date.