Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1154951 - (CVE-2014-3708) CVE-2014-3708 openstack-nova: Nova network denial of service through API filtering
CVE-2014-3708 openstack-nova: Nova network denial of service through API filt...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20141028,repor...
: Security
Depends On: 1158307 1158308 1196564 1196565
Blocks: 1154952 1194087
  Show dependency treegraph
 
Reported: 2014-10-21 02:29 EDT by Murray McAllister
Modified: 2016-04-26 23:38 EDT (History)
24 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way OpenStack Compute (nova) looked up VM instances based on an IP address filter. An attacker with sufficient privileges on an OpenStack installation with a large amount of VMs could use this flaw to cause the main nova process to block for an extended amount of time.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-06-19 03:05:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
icehouse patch from upstream (7.65 KB, patch)
2014-10-22 23:42 EDT, Murray McAllister 		no flags Details | Diff
juno patch from upstream (7.12 KB, patch)
2014-10-22 23:43 EDT, Murray McAllister 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0843 normal SHIPPED_LIVE Important: openstack-nova security, bug fix, and enhancement update 2015-04-16 14:27:45 EDT
Red Hat Product Errata RHSA-2015:0844 normal SHIPPED_LIVE Important: openstack-nova security, bug fix, and enhancement update 2015-04-16 14:27:38 EDT

  None (edit)
Description Murray McAllister 2014-10-21 02:29:11 EDT 
The OpenStack project reports:

""
Title: Nova network DoS through API filtering
Reporter: Mohammed Naser (Vexxhost)
Products: Nova
Versions: up to 2014.1.2

Description:
Mohammed Naser from Vexxhost reported a vulnerability in Nova API
filters. By listing active servers using an ip filter, an authenticated
user may overload nova-network or neutron-server process, resulting in a
denial of services. All Nova setups are affected.
""

Acknowledgements:

Red Hat would like to thank the OpenStack Project for reporting this issue. Upstream acknowledges Mohammed Naser from Vexxhost as the original reporter.
Comment 3 Murray McAllister 2014-10-22 23:42:42 EDT 
Created attachment 949631 [details]
icehouse patch from upstream
Comment 4 Murray McAllister 2014-10-22 23:43:16 EDT 
Created attachment 949632 [details]
juno patch from upstream
Comment 5 Murray McAllister 2014-10-29 00:35:56 EDT 
This issue is public now:

http://seclists.org/oss-sec/2014/q4/458
Comment 7 Murray McAllister 2014-10-29 00:38:00 EDT 
Created openstack-nova tracking bugs for this issue:

Affects: fedora-all [bug 1158307]
Comment 13 errata-xmlrpc 2015-04-16 10:33:16 EDT 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:0844 https://rhn.redhat.com/errata/RHSA-2015-0844.html
Comment 14 errata-xmlrpc 2015-04-16 10:34:57 EDT 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:0843 https://rhn.redhat.com/errata/RHSA-2015-0843.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.