[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [OSSA 2014-038] Nova network DoS through API filtering (CVE-2014-3708)
From: Tristan Cacqueray <tristan.cacqueray () enovance ! com>
Date: 2014-10-28 16:13:03
Message-ID: 544FC08F.5080309 () enovance ! com
[Download RAW message or body]
OpenStack Security Advisory: 2014-038
CVE: CVE-2014-3708
Date: October 28, 2014
Title: Nova network DoS through API filtering
Reporter: Mohammed Naser (Vexxhost)
Products: Nova
Versions: up to 2014.1.3, and 2014.2
Description:
Mohammed Naser from Vexxhost reported a vulnerability in Nova API
filters. By listing active servers using an ip filter, an authenticated
user may overload nova-network or neutron-server process, resulting in a
denial of services. All Nova setups are affected.
Kilo (development branch) fix:
https://review.openstack.org/131460
Juno fix:
https://review.openstack.org/131462
Icehouse fix:
https://review.openstack.org/131461
Notes:
This fix will be included in future 2014.1.4 and 2014.2.1 releases.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3708
https://launchpad.net/bugs/1358583
--·
Tristan Cacqueray
OpenStack Vulnerability Management Team
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic