Home / mailings [USN-2000-1] Nova vulnerabilities
Posted on 23 October 2013
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-2000-1
October 23, 2013
nova vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Nova could be made to crash if it received specially crafted network
requests.
Software Description:
- nova: OpenStack Compute cloud infrastructure
Details:
It was discovered that Nova did not properly enforce the is_public proper=
ty
when determining flavor access. An authenticated attacker could exploit
this to obtain sensitive information in private flavors. This issue only
affected Ubuntu 12.10 and 13.10. (CVE-2013-2256, CVE-2013-4278)
Grant Murphy discovered that Nova would allow XML entity processing. A
remote unauthenticated attacker could exploit this using the Nova API to
cause a denial of service via resource exhaustion. This issue only
affected Ubuntu 13.10. (CVE-2013-4179)
Vishvananda Ishaya discovered that Nova inefficiently handled network
security group updates when Nova was configured to use nova-network. An
authenticated attacker could exploit this to cause a denial of service.
(CVE-2013-4185)
Jaroslav Henner discovered that Nova did not properly handle certain inpu=
ts
to the instance console when Nova was configured to use Apache Qpid. An
authenticated attacker could exploit this to cause a denial of service on=
the compute node running the instance. By default, Ubuntu uses RabbitMQ
instead of Qpid. (CVE-2013-4261)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.04:
python-nova 1:2013.1.3-0ubuntu1.1
Ubuntu 12.10:
python-nova 2012.2.4-0ubuntu3.1
Ubuntu 12.04 LTS:
python-nova 2012.1.3+stable-20130423-e52e6912-0ubun=
tu1.2
In general, a standard system update will make all the necessary changes.=
References:
http://www.ubuntu.com/usn/usn-2000-1
CVE-2013-2256, CVE-2013-4179, CVE-2013-4185, CVE-2013-4261,
CVE-2013-4278
Package Information:
https://launchpad.net/ubuntu/+source/nova/1:2013.1.3-0ubuntu1.1
https://launchpad.net/ubuntu/+source/nova/2012.2.4-0ubuntu3.1
https://launchpad.net/ubuntu/+source/nova/2012.1.3+stable-20130423-e52e69=
12-0ubuntu1.2
