Nova network DoS through API filtering

2014.10.29
Credit: Tristan
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-399


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

OpenStack Security Advisory: 2014-038 CVE: CVE-2014-3708 Date: October 28, 2014 Title: Nova network DoS through API filtering Reporter: Mohammed Naser (Vexxhost) Products: Nova Versions: up to 2014.1.3, and 2014.2 Description: Mohammed Naser from Vexxhost reported a vulnerability in Nova API filters. By listing active servers using an ip filter, an authenticated user may overload nova-network or neutron-server process, resulting in a denial of services. All Nova setups are affected. Kilo (development branch) fix: https://review.openstack.org/131460 Juno fix: https://review.openstack.org/131462 Icehouse fix: https://review.openstack.org/131461 Notes: This fix will be included in future 2014.1.4 and 2014.2.1 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3708 https://launchpad.net/bugs/1358583 --· Tristan Cacqueray OpenStack Vulnerability Management Team

References:

https://review.openstack.org/131461
https://review.openstack.org/131462
https://review.openstack.org/131460
http://seclists.org/oss-sec/2014/q4/458


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top