PublicDateAtUSN: 2014-10-06
Candidate: CVE-2014-3608
PublicDate: 2014-10-06 14:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3608
 http://seclists.org/oss-sec/2014/q4/65
 https://ubuntu.com/security/notices/USN-2407-1
Description:
 The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote
 authenticated users to bypass the quota limit and cause a denial of service
 (resource consumption) by putting the VM into the rescue state, suspending
 it, which puts into an ERROR state, and then deleting the image.  NOTE:
 this vulnerability exists because of an incomplete fix for CVE-2014-2573.
Ubuntu-Description:
Notes:
 jdstrand> requires use with unsupported VMware ESX driver. This is not
  compiled in to libvirt in the Ubuntu archive, which makes this code path
  unavailable in Ubuntu
Bugs:
 https://bugs.launchpad.net/nova/+bug/1338830
Priority: negligible
Discovered-by: Garth Mollett
Assigned-to:
CVSS: 

Patches_nova:
 upstream: https://review.openstack.org/#/c/94281/ (juno)
 upstream: https://review.openstack.org/#/c/109624/ (icehouse)
upstream_nova: released (2014.1.3)
lucid_nova: DNE
precise_nova: not-affected (code not present)
trusty_nova: released (1:2014.1.3-0ubuntu1)
trusty/esm_nova: DNE (trusty was released [1:2014.1.3-0ubuntu1])
utopic_nova: not-affected (1:2014.2~rc1-0ubuntu2)
devel_nova: not-affected (1:2014.2~rc1-0ubuntu2)