Vulnerabilities > CVE-2013-1838 - Resource Management Errors vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) does not properly implement a quota for fixed IPs, which allows remote authenticated users to cause a denial of service (resource exhaustion and failure to spawn new instances) via a large number of calls to the addFixedIp function.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 | |
| OS | 3 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1771-1.NASL description Loganathan Parthipan discovered that Nova did not properly validate VNC tokens after an instance was deleted. An authenticated attacker could exploit this to access other virtual machines under certain circumstances. This issue did not affect Ubuntu 11.10. (CVE-2013-0335) Vish Ishaya discovered that Nova did not always enforce quotas on fixed IPs. An authenticated attacker could exploit this to cause a denial of service via resource consumption. Nova will now enforce a quota limit of 10 fixed IPs per instance, which is configurable via last seen 2020-06-01 modified 2020-06-02 plugin id 65640 published 2013-03-21 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65640 title Ubuntu 11.10 / 12.04 LTS / 12.10 : nova vulnerabilities (USN-1771-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-237.NASL description The Openstack Stack components were updated to Folsom level as of March 5th. Changes in openstack-cinder : - Update 12.3 packages to Folsom as of March 5th. This comes with security fixes and bug fixes that we need to have OpenStack work nicely. Fix bnc#802278. - Update cinder-config-update.diff: update etc/cinder/api-paste.ini to have a signing_dir key under [filter:authtoken]. Otherwise, cinder-api won last seen 2020-06-05 modified 2014-06-13 plugin id 74936 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74936 title openSUSE Security Update : openstack (openSUSE-2013-237)
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://osvdb.org/91303
- http://osvdb.org/91303
- http://rhn.redhat.com/errata/RHSA-2013-0709.html
- http://rhn.redhat.com/errata/RHSA-2013-0709.html
- http://secunia.com/advisories/52580
- http://secunia.com/advisories/52580
- http://secunia.com/advisories/52728
- http://secunia.com/advisories/52728
- http://ubuntu.com/usn/usn-1771-1
- http://ubuntu.com/usn/usn-1771-1
- http://www.openwall.com/lists/oss-security/2013/03/14/18
- http://www.openwall.com/lists/oss-security/2013/03/14/18
- http://www.securityfocus.com/bid/58492
- http://www.securityfocus.com/bid/58492
- https://bugs.launchpad.net/nova/+bug/1125468
- https://bugs.launchpad.net/nova/+bug/1125468
- https://bugzilla.redhat.com/show_bug.cgi?id=919648
- https://bugzilla.redhat.com/show_bug.cgi?id=919648
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82877
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82877
- https://lists.launchpad.net/openstack/msg21892.html
- https://lists.launchpad.net/openstack/msg21892.html
- https://review.openstack.org/#/c/24451/
- https://review.openstack.org/#/c/24451/
- https://review.openstack.org/#/c/24452/
- https://review.openstack.org/#/c/24452/
- https://review.openstack.org/#/c/24453/
- https://review.openstack.org/#/c/24453/