Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5231DBBD.8070003@openstack.org>
Date: Thu, 12 Sep 2013 17:20:29 +0200
From: Thierry Carrez <thierry@...nstack.org>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: [OSSA 2013-026] Potential denial of service on Nova when using Qpid
 (CVE-2013-4261)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-026
CVE: CVE-2013-4261
Date: September 12, 2013
Title: Potential denial of service on Nova when using Qpid
Reporter: Jaroslav Henner (Red Hat)
Products: Nova
Affects: Folsom, Grizzly

Description:
Jaroslav Henner from Red Hat reported a vulnerability in Nova when using
Apache Qpid as the RPC backend. By sending any random text longer than
65K characters to an instance console and requesting the console log
contents through the API, an authenticated user may disrupt the
nova-compute node his instance is running on. This vulnerability could
be leveraged in a Denial of Service attack against the cloud provider.
Only Folsom and Grizzly setups using Qpid as their RPC backend are
affected. Havana setups, or setups using other RPC backends (like
RabbitMQ), are all unaffected.

Grizzly fix:
https://review.openstack.org/#/c/43303/

Folsom fix:
https://review.openstack.org/#/c/45426/

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4261
https://bugs.launchpad.net/nova/+bug/1215091

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJSMdu9AAoJEFB6+JAlsQQjenQQAJWcaFpLYRVzGarpbDIyFnU6
Pvrg5fBuJhPbrNNr+oSFcrMbIy4G70COfY53GEq1JyZ122Oo3//KpK9QpPxSck8F
aeQa7YqJJocI1XoyVkpOZIMD8lOERZpLZpotV3UuzmKV1KS2W5UAJ3CTvBWcuhZq
YlFmvEz1Hqryrk3nLPtXCQrhG5SnCwFUIu3AXrBNcp5+7dG1kulniz4Bjp1fNdgb
dGFNUGY+YK+by7SuwcuTKgRwes2kB0HPVR/AyfailpUMFljgvjNx6zybaIhOt3CT
eZHLJwxyDJDPZriZZtR23+5M6dZdnd/OZIbZOCZnSvAmq+R4NSCTMU9nJIQFbvdQ
Ar2WgWQgOwjqjjDngOMxnizVHkOx26JE5NIiwhQeucjHA797G8fJ51GQ71nhBEne
kclRCVIn9wLFJSNN6/TqgfF0e44GTtsRxCKlFtHwVPwSI/KBICZKTt3VyY/6njN6
n2UWubbqqYtN05a0VK281ah3RbZYOPLtkZGCuI+PPzwGnNBl9gJk+9o8+jCVEPSY
3Pn43//fOFM5GAoFngescTqzl1W08T7Zii+UsBbYAfCF3ym+TswPY41MYXui2d4j
bqlsh8sOhVfKBHCJNB3UKKTZ2IFBo0ve8JlyAgZfw2GbJ928+CfqVAJ27vwmzT5N
03iM2MHgLDGsCf1D+dcK
=+ZxS
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.