CVE-2013-4497
Published: 5 November 2013
The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Havana before 2013.2 does not properly apply security groups (1) when resizing an image or (2) during live migration, which allows remote attackers to bypass intended restrictions.
Notes
| Author | Note |
|---|---|
| mdeslaur | OSSA 2013-030 |
| jdstrand | the proposed patches have tests cases even though upstream only patched grizzly without a test case Ubuntu 12.04 LTS (essex) is not affected |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
nova Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
| precise |
Not vulnerable
(code-not-present)
|
|
| quantal |
Ignored
(end of life, was pending)
|
|
| raring |
Ignored
(end of life)
|
|
| saucy |
Not vulnerable
(1:2013.2~rc2-0ubuntu1)
|
|
| trusty |
Does not exist
(trusty was not-affected)
|
|
| upstream |
Released
(2013.2.rc1)
|
|
|
Patches: upstream: https://review.openstack.org/52991 other: https://review.openstack.org/#/c/52989/ other: https://review.openstack.org/#/c/52987/ upstream: https://github.com/openstack/nova/commit/01de658210fd65171bfbf5450c93673b5ce0bd9e upstream: https://github.com/openstack/nova/commit/df2ea2e3acdede21b40d47b7adbeac04213d031b |
||