Date: Tue, 28 Oct 2014 12:13:03 -0400 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-038] Nova network DoS through API filtering (CVE-2014-3708) OpenStack Security Advisory: 2014-038 CVE: CVE-2014-3708 Date: October 28, 2014 Title: Nova network DoS through API filtering Reporter: Mohammed Naser (Vexxhost) Products: Nova Versions: up to 2014.1.3, and 2014.2 Description: Mohammed Naser from Vexxhost reported a vulnerability in Nova API filters. By listing active servers using an ip filter, an authenticated user may overload nova-network or neutron-server process, resulting in a denial of services. All Nova setups are affected. Kilo (development branch) fix: https://review.openstack.org/131460 Juno fix: https://review.openstack.org/131462 Icehouse fix: https://review.openstack.org/131461 Notes: This fix will be included in future 2014.1.4 and 2014.2.1 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3708 https://launchpad.net/bugs/1358583 --· Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (539 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.