Security update for Openstack Nova
SUSE Security Update: Security update for Openstack Nova
Openstack Nova has been updated to fix the following
security issues:
* CVE-2013-0280: Jonathan Murray from NCC Group, Joshua
Harlow from Yahoo! and Stuart Stent independently reported
a vulnerability in the parsing of XML requests in Keystone,
Nova and Cinder. By using entities in XML requests, an
unauthenticated attacker may consume excessive resources on
the Keystone, Nova or Cinder API servers, resulting in a
denial of service and potentially a crash. Authenticated
attackers may also leverage XML entities to read the
content of a local file on the Keystone API server. This
only affects servers with XML support enabled.
* CVE-2013-0335: Loganathan Parthipan (HP) and Rohit
Karajgi (NTT Data) independently reported a vulnerability
in Nova. If a user requests a console and then deletes the
VM, it is possible that the console token could allow
connectivity to a different VM before the console token
expires if the VNC port gets reused in that time period.
This issue can be worked around by disabling VNC support.
* CVE-2013-1838: Vish Ishaya reported a vulnerability
in Nova where there is no quota for Fixed IPs. Previously
the instance quota acted as a proxy for a Fixed IP quota,
but if your configuration allows an instance to consume
more than one Fixed IP via an extension such as multinic
then this is no longer true. Running out of Fixed IPs would
result in not being able to spawn new instances.
| Announcement ID: | SUSE-SU-2013:0718-1 |
| Rating: | moderate |
| References: | #803351 #806240 #808622 |
| Affected Products: |
An update that contains security fixes can now be installed.
Description:
Openstack Nova has been updated to fix the following
security issues:
* CVE-2013-0280: Jonathan Murray from NCC Group, Joshua
Harlow from Yahoo! and Stuart Stent independently reported
a vulnerability in the parsing of XML requests in Keystone,
Nova and Cinder. By using entities in XML requests, an
unauthenticated attacker may consume excessive resources on
the Keystone, Nova or Cinder API servers, resulting in a
denial of service and potentially a crash. Authenticated
attackers may also leverage XML entities to read the
content of a local file on the Keystone API server. This
only affects servers with XML support enabled.
* CVE-2013-0335: Loganathan Parthipan (HP) and Rohit
Karajgi (NTT Data) independently reported a vulnerability
in Nova. If a user requests a console and then deletes the
VM, it is possible that the console token could allow
connectivity to a different VM before the console token
expires if the VNC port gets reused in that time period.
This issue can be worked around by disabling VNC support.
* CVE-2013-1838: Vish Ishaya reported a vulnerability
in Nova where there is no quota for Fixed IPs. Previously
the instance quota acted as a proxy for a Fixed IP quota,
but if your configuration allows an instance to consume
more than one Fixed IP via an extension such as multinic
then this is no longer true. Running out of Fixed IPs would
result in not being able to spawn new instances.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Cloud 1.0:
zypper in -t patch sleclo10sp2-openstack-nova-7661
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Cloud 1.0 (x86_64):
- openstack-nova-2012.1+git.1364234478.e52e691-0.5.1
- openstack-nova-api-2012.1+git.1364234478.e52e691-0.5.1
- openstack-nova-cert-2012.1+git.1364234478.e52e691-0.5.1
- openstack-nova-compute-2012.1+git.1364234478.e52e691-0.5.1
- openstack-nova-doc-2012.1+git.1364234478.e52e691-0.5.1
- openstack-nova-network-2012.1+git.1364234478.e52e691-0.5.1
- openstack-nova-objectstore-2012.1+git.1364234478.e52e691-0.5.1
- openstack-nova-scheduler-2012.1+git.1364234478.e52e691-0.5.1
- openstack-nova-vncproxy-2012.1+git.1364234478.e52e691-0.5.1
- openstack-nova-volume-2012.1+git.1364234478.e52e691-0.5.1
- python-nova-2012.1+git.1364234478.e52e691-0.5.1
References:
- https://bugzilla.novell.com/803351
- https://bugzilla.novell.com/806240
- https://bugzilla.novell.com/808622
- http://download.suse.com/patch/finder/?keywords=8f98eb3d0da00abeb4826120151fc736