Date: Tue, 28 Oct 2014 12:13:03 -0400 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-038] Nova network DoS through API filtering (CVE-2014-3708) OpenStack Security Advisory: 2014-038 CVE: CVE-2014-3708 Date: October 28, 2014 Title: Nova network DoS through API filtering Reporter: Mohammed Naser (Vexxhost) Products: Nova Versions: up to 2014.1.3, and 2014.2 Description: Mohammed Naser from Vexxhost reported a vulnerability in Nova API filters. By listing active servers using an ip filter, an authenticated user may overload nova-network or neutron-server process, resulting in a denial of services. All Nova setups are affected. Kilo (development branch) fix: https://review.openstack.org/131460 Juno fix: https://review.openstack.org/131462 Icehouse fix: https://review.openstack.org/131461 Notes: This fix will be included in future 2014.1.4 and 2014.2.1 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3708 https://launchpad.net/bugs/1358583 --· Tristan Cacqueray OpenStack Vulnerability Management Team [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ