Home / mailings [USN-1771-1] OpenStack Nova vulnerabilities
Posted on 20 March 2013
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-1771-1
March 20, 2013
nova vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Two security issues were fixed in Nova.
Software Description:
- nova: OpenStack Compute cloud infrastructure
Details:
Loganathan Parthipan discovered that Nova did not properly validate VNC
tokens after an instance was deleted. An authenticated attacker could
exploit this to access other virtual machines under certain circumstances=
=2E
This issue did not affect Ubuntu 11.10. (CVE-2013-0335)
Vish Ishaya discovered that Nova did not always enforce quotas on fixed
IPs. An authenticated attacker could exploit this to cause a denial of
service via resource consumption. Nova will now enforce a quota limit of
10 fixed IPs per instance, which is configurable via 'quota_fixed_ips'
in /etc/nova/nova.conf. (CVE-2013-1838)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
python-nova
2012.2.1+stable-20121212-a99a802e-0ubuntu1.4
Ubuntu 12.04 LTS:
python-nova
2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.4
Ubuntu 11.10:
python-nova 2011.3-0ubuntu6.13
In general, a standard system update will make all the necessary changes.=
References:
http://www.ubuntu.com/usn/usn-1771-1
CVE-2013-0335, CVE-2013-1838
Package Information:
https://launchpad.net/ubuntu/+source/nova/2012.2.1+stable-20121212-a99a80=
2e-0ubuntu1.4
https://launchpad.net/ubuntu/+source/nova/2012.1.3+stable-20120827-4d2a4a=
fe-0ubuntu1.4
https://launchpad.net/ubuntu/+source/nova/2011.3-0ubuntu6.13
------------
