[OSSA 2013-020] Denial of Service in Nova network source security groups (CVE-2013-4185)

[Jeremy Stanley <jeremy () openstack org>]

OpenStack Security Advisory: 2013-020
CVE: CVE-2013-4185
Date: August 6, 2013
Title: Denial of Service in Nova network source security groups
Reporter: Vishvananda Ishaya (Nebula)
Products: Nova
Affects: All versions

Description:
Vishvananda Ishaya from Nebula reported a denial of service
vulnerability in Nova's handling of network source security group
policy updates. By performing a large number of server creation
operations, the proportion of updates increases quadratically and
may overwhelm nova-network such that it is no longer able to service
other requests in a timely fashion. Only setups relying on
nova-network are affected.

Havana (development branch) fix:
https://review.openstack.org/39541

Grizzly fix:
https://review.openstack.org/39543

Folsom fix:
https://review.openstack.org/39544

Notes:
This fix will be included in the havana-3 development milestone and
in a future 2013.1.3 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4185
https://bugs.launchpad.net/nova/+bug/1184041

-- 
Jeremy Stanley
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: Digital signature