MEDIUM

GHSA-92hc-c226-32q7

OpenStack Compute (Nova)'s VMWare driver vulnerable to denial of service

Details

The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2573.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / nova

Introduced in: 0 Fixed in: 2014.1.3

Fix pip install --upgrade 'nova>=2014.1.3'

References

https://nvd.nist.gov/vuln/detail/CVE-2014-3608 [ADVISORY]
https://access.redhat.com/errata/RHSA-2014:1781 [WEB]
https://access.redhat.com/errata/RHSA-2014:1782 [WEB]
https://access.redhat.com/security/cve/CVE-2014-3608 [WEB]
https://bugs.launchpad.net/nova/+bug/1338830 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=1148253 [WEB]
https://opendev.org/openstack/nova [PACKAGE]
https://web.archive.org/web/20200228053850/http://www.securityfocus.com/bid/70220 [WEB]
http://rhn.redhat.com/errata/RHSA-2014-1781.html [WEB]
http://rhn.redhat.com/errata/RHSA-2014-1782.html [WEB]
http://seclists.org/oss-sec/2014/q4/65 [WEB]
http://www.securityfocus.com/bid/70220 [WEB]