Bug 1154951 (CVE-2014-3708) - CVE-2014-3708 openstack-nova: Nova network denial of service through API filtering
Summary: CVE-2014-3708 openstack-nova: Nova network denial of service through API filt...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3708
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1158307 1158308 1196564 1196565
Blocks: 1154952 1194087
TreeView+ depends on / blocked
 
Reported: 2014-10-21 06:29 UTC by Murray McAllister
Modified: 2023-05-12 05:50 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way OpenStack Compute (nova) looked up VM instances based on an IP address filter. An attacker with sufficient privileges on an OpenStack installation with a large amount of VMs could use this flaw to cause the main nova process to block for an extended amount of time.
Clone Of:
Environment:
Last Closed: 2015-06-19 07:05:43 UTC
Embargoed:

Attachments (Terms of Use)
icehouse patch from upstream (7.65 KB, patch)
2014-10-23 03:42 UTC, Murray McAllister 		no flags Details | Diff
juno patch from upstream (7.12 KB, patch)
2014-10-23 03:43 UTC, Murray McAllister 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0843 0 normal SHIPPED_LIVE Important: openstack-nova security, bug fix, and enhancement update 2015-04-16 18:27:45 UTC
Red Hat Product Errata RHSA-2015:0844 0 normal SHIPPED_LIVE Important: openstack-nova security, bug fix, and enhancement update 2015-04-16 18:27:38 UTC

Description Murray McAllister 2014-10-21 06:29:11 UTC 
The OpenStack project reports:

""
Title: Nova network DoS through API filtering
Reporter: Mohammed Naser (Vexxhost)
Products: Nova
Versions: up to 2014.1.2

Description:
Mohammed Naser from Vexxhost reported a vulnerability in Nova API
filters. By listing active servers using an ip filter, an authenticated
user may overload nova-network or neutron-server process, resulting in a
denial of services. All Nova setups are affected.
""

Acknowledgements:

Red Hat would like to thank the OpenStack Project for reporting this issue. Upstream acknowledges Mohammed Naser from Vexxhost as the original reporter.
Comment 3 Murray McAllister 2014-10-23 03:42:42 UTC 
Created attachment 949631 [details]
icehouse patch from upstream
Comment 4 Murray McAllister 2014-10-23 03:43:16 UTC 
Created attachment 949632 [details]
juno patch from upstream
Comment 5 Murray McAllister 2014-10-29 04:35:56 UTC 
This issue is public now:

http://seclists.org/oss-sec/2014/q4/458
Comment 7 Murray McAllister 2014-10-29 04:38:00 UTC 
Created openstack-nova tracking bugs for this issue:

Affects: fedora-all [bug 1158307]
Comment 13 errata-xmlrpc 2015-04-16 14:33:16 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:0844 https://rhn.redhat.com/errata/RHSA-2015-0844.html
Comment 14 errata-xmlrpc 2015-04-16 14:34:57 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:0843 https://rhn.redhat.com/errata/RHSA-2015-0843.html
Note You need to log in before you can comment on or make changes to this bug.