Vulnerabilities > CVE-2013-1838 - Resource Management Errors vulnerability in multiple products

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

openstack

canonical

CWE-399

nessus

NVD

Published: 2013-03-22

Updated: 2017-08-29

Summary

OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) does not properly implement a quota for fixed IPs, which allows remote authenticated users to cause a denial of service (resource exhaustion and failure to spawn new instances) via a large number of calls to the addFixedIp function. Per http://www.ubuntu.com/usn/usn-1771-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10"

Vulnerable Configurations

Part	Description	Count
Application	Openstack Openstack Essex 2012.1 Openstack Folsom 2012.2 Openstack Grizzly 2012.2	3
OS	Canonical Canonical Ubuntu Linux 11.10 Canonical Ubuntu Linux 12.04 Canonical Ubuntu Linux 12.10	3

Common Weakness Enumeration (CWE)

CWE-399 - Resource Management Errors

Nessus

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-1771-1.NASL
description	Loganathan Parthipan discovered that Nova did not properly validate VNC tokens after an instance was deleted. An authenticated attacker could exploit this to access other virtual machines under certain circumstances. This issue did not affect Ubuntu 11.10. (CVE-2013-0335) Vish Ishaya discovered that Nova did not always enforce quotas on fixed IPs. An authenticated attacker could exploit this to cause a denial of service via resource consumption. Nova will now enforce a quota limit of 10 fixed IPs per instance, which is configurable via
last seen	2020-06-01
modified	2020-06-02
plugin id	65640
published	2013-03-21
reporter	Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/65640
title	Ubuntu 11.10 / 12.04 LTS / 12.10 : nova vulnerabilities (USN-1771-1)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2013-237.NASL
description	The Openstack Stack components were updated to Folsom level as of March 5th. Changes in openstack-cinder : - Update 12.3 packages to Folsom as of March 5th. This comes with security fixes and bug fixes that we need to have OpenStack work nicely. Fix bnc#802278. - Update cinder-config-update.diff: update etc/cinder/api-paste.ini to have a signing_dir key under [filter:authtoken]. Otherwise, cinder-api won
last seen	2020-06-05
modified	2014-06-13
plugin id	74936
published	2014-06-13
reporter	This script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/74936
title	openSUSE Security Update : openstack (openSUSE-2013-237)

Redhat

advisories

rhsa

id	RHSA-2013:0709

rpms

openstack-nova-0:2012.2.3-7.el6ost
openstack-nova-api-0:2012.2.3-7.el6ost
openstack-nova-cert-0:2012.2.3-7.el6ost
openstack-nova-common-0:2012.2.3-7.el6ost
openstack-nova-compute-0:2012.2.3-7.el6ost
openstack-nova-console-0:2012.2.3-7.el6ost
openstack-nova-doc-0:2012.2.3-7.el6ost
openstack-nova-network-0:2012.2.3-7.el6ost
openstack-nova-objectstore-0:2012.2.3-7.el6ost
openstack-nova-scheduler-0:2012.2.3-7.el6ost
openstack-nova-volume-0:2012.2.3-7.el6ost
python-nova-0:2012.2.3-7.el6ost

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Redhat

References