1. Ubuntu Security Notices
  2. USN-2000-1

USN-2000-1: Nova vulnerabilities

Publication date

23 October 2013

Overview

Nova could be made to crash if it received specially crafted network requests.

Releases

Packages

  • nova - OpenStack Compute cloud infrastructure

Details

It was discovered that Nova did not properly enforce the is_public property
when determining flavor access. An authenticated attacker could exploit
this to obtain sensitive information in private flavors. This issue only
affected Ubuntu 12.10 and 13.10. (CVE-2013-2256, CVE-2013-4278)

Grant Murphy discovered that Nova would allow XML entity processing. A
remote unauthenticated attacker could exploit this using the Nova API to
cause a denial of service via resource exhaustion. This issue only
affected Ubuntu 13.10. (CVE-2013-4179)

Vishvananda Ishaya discovered that Nova inefficiently handled network
security group updates when Nova was configured to use nova-network. An
authenticated attacker could exploit this to cause a denial of service.
(CVE-2013-4185)

Jaroslav Henner...

It was discovered that Nova did not properly enforce the is_public property
when determining flavor access. An authenticated attacker could exploit
this to obtain sensitive information in private flavors. This issue only
affected Ubuntu 12.10 and 13.10. (CVE-2013-2256, CVE-2013-4278)

Grant Murphy discovered that Nova would allow XML entity processing. A
remote unauthenticated attacker could exploit this using the Nova API to
cause a denial of service via resource exhaustion. This issue only
affected Ubuntu 13.10. (CVE-2013-4179)

Vishvananda Ishaya discovered that Nova inefficiently handled network
security group updates when Nova was configured to use nova-network. An
authenticated attacker could exploit this to cause a denial of service.
(CVE-2013-4185)

Jaroslav Henner discovered that Nova did not properly handle certain inputs
to the instance console when Nova was configured to use Apache Qpid. An
authenticated attacker could exploit this to cause a denial of service on
the compute node running the instance. By default, Ubuntu uses RabbitMQ
instead of Qpid. (CVE-2013-4261)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
13.04 raring python-nova –  1:2013.1.3-0ubuntu1.1
12.10 quantal python-nova –  2012.2.4-0ubuntu3.1
12.04 precise python-nova –  2012.1.3+stable-20130423-e52e6912-0ubuntu1.2

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›