1154951 – (CVE-2014-3708) CVE-2014-3708 openstack-nova: Nova network denial of service through API filtering

Bug 1154951 (CVE-2014-3708) - CVE-2014-3708 openstack-nova: Nova network denial of service through API filtering

Summary: CVE-2014-3708 openstack-nova: Nova network denial of service through API filt...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-3708
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1158307 1158308 1196564 1196565
Blocks:	1154952 1194087
TreeView+	depends on / blocked

Reported:	2014-10-21 06:29 UTC by Murray McAllister
Modified:	2023-05-12 05:50 UTC (History)
CC List:	24 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-06-19 07:05:43 UTC
Embargoed:

Attachments	(Terms of Use)
icehouse patch from upstream (7.65 KB, patch) 2014-10-23 03:42 UTC, Murray McAllister	no flags	Details \| Diff
juno patch from upstream (7.12 KB, patch) 2014-10-23 03:43 UTC, Murray McAllister	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0843	0	normal	SHIPPED_LIVE	Important: openstack-nova security, bug fix, and enhancement update	2015-04-16 18:27:45 UTC
Red Hat Product Errata	RHSA-2015:0844	0	normal	SHIPPED_LIVE	Important: openstack-nova security, bug fix, and enhancement update	2015-04-16 18:27:38 UTC

Description Murray McAllister 2014-10-21 06:29:11 UTC

The OpenStack project reports:

""
Title: Nova network DoS through API filtering
Reporter: Mohammed Naser (Vexxhost)
Products: Nova
Versions: up to 2014.1.2

Description:
Mohammed Naser from Vexxhost reported a vulnerability in Nova API
filters. By listing active servers using an ip filter, an authenticated
user may overload nova-network or neutron-server process, resulting in a
denial of services. All Nova setups are affected.
""

Acknowledgements:

Red Hat would like to thank the OpenStack Project for reporting this issue. Upstream acknowledges Mohammed Naser from Vexxhost as the original reporter.

Comment 3 Murray McAllister 2014-10-23 03:42:42 UTC

Created attachment 949631 [details]
icehouse patch from upstream

Comment 4 Murray McAllister 2014-10-23 03:43:16 UTC

Created attachment 949632 [details]
juno patch from upstream

Comment 5 Murray McAllister 2014-10-29 04:35:56 UTC

This issue is public now:

http://seclists.org/oss-sec/2014/q4/458

Comment 7 Murray McAllister 2014-10-29 04:38:00 UTC

Created openstack-nova tracking bugs for this issue:

Affects: fedora-all [bug 1158307]

Comment 13 errata-xmlrpc 2015-04-16 14:33:16 UTC

This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:0844 https://rhn.redhat.com/errata/RHSA-2015-0844.html

Comment 14 errata-xmlrpc 2015-04-16 14:34:57 UTC

This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:0843 https://rhn.redhat.com/errata/RHSA-2015-0843.html

Note You need to log in before you can comment on or make changes to this bug.

abaron
aortega
apevec
ayoung
berrange
chrisw
dallan
dasmith
gkotton
gmollett
jrusnack
lhh
lpeer
markmc
ndipanov
pbrady
rbryant
sbauza
sclewis
security-response-team
sferdjao
sgordon
vromanso
yeylon