Red Hat Bugzilla – Bug 813768
CVE-2012-2101 openstack-nova: No quota enforced on security group rules
Last modified: 2016-01-04 09:41:33 EST
Created attachment 578328 [details]
This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
Title: No quota enforced on security group rules
Reporter: Dan Prince <email@example.com>
Affects: All versions
Dan Prince reported a vulnerability in Nova. He discovered that there
was no limit on the number of security group rules a user can create.
By creating a very large set of rules, an unreasonable number of
iptables rules will be created on compute nodes, resulting in a denial
See attached diff. This proposed patch will be merged to the Nova
master, stable/essex, and stable/diablo branches on public disclosure
Proposed public disclosure date/time:
Thursday, April 19th, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.
This issue affects the version of the openstack-nova package, as shipped with Fedora release of 16. Please schedule an update.
This issue affects the version of the openstack-nova package, as shipped with Fedora EPEL 6. Please schedule an update.
Created openstack-nova tracking bugs for this issue
Affects: fedora-16 [bug 814361]
Affects: epel-6 [bug 814362]