Skip to navigation

Security Advisory Moderate: openstack-nova security and bug fix update

Advisory: RHSA-2013:0709-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-04-04
Last updated on: 2013-04-04
Affected Products: Red Hat OpenStack Folsom
CVEs (cve.mitre.org): CVE-2013-0335
CVE-2013-1838

Details

Updated openstack-nova packages that fix two security issues and various
bugs are now available for Red Hat OpenStack Folsom.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The openstack-nova packages provide OpenStack Compute (code name Nova),
which provides services for provisioning, managing, and using virtual
machine instances.

A flaw was found in the way the Nova VNC proxy handled console tokens. In
some cases, a console token that was valid for one virtual machine could
be used to connect to the console of a different user's virtual machine.
Note that this flaw did not bypass the normal user name and password
authentication on the virtual machine. The attacker would need to know
valid credentials to log into the virtual machine. (CVE-2013-0335)

There was no limit on the number of fixed IP addresses a virtual machine
could be assigned with. This could lead to a denial of service if an
attacker assigned all available IP addresses to their virtual machine. With
this update, a default limit of 10 IP addresses per virtual machine is
enforced. The "quota_fixed_ips" option in "/etc/nova/nova.conf" can be
used to set a higher or lower limit. (CVE-2013-1838)

Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Loganathan Parthipan (HP) and Rohit Karajgi
(NTT Data) as the original, independent reporters of CVE-2013-0335, and
Vish Ishaya (Nebula) as the original reporter of CVE-2013-1838.

This update also fixes various bugs in the openstack-nova packages.

All users of openstack-nova are advised to upgrade to these updated
packages, which correct these issues. After installing the updated
packages, the running Nova services will be restarted automatically.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat OpenStack Folsom

SRPMS:
openstack-nova-2012.2.3-7.el6ost.src.rpm
File outdated by:  RHBA-2013:0798
    MD5: 6c2c864a2607fee4ea247efd0af61f19
SHA-256: dcf3c4a56c9ace12d62a4b0e5ee2fdc717913e85a0a60bebbbacf3fa05f6891f
 
x86_64:
openstack-nova-2012.2.3-7.el6ost.noarch.rpm
File outdated by:  RHBA-2013:0798
    MD5: 401ee6200f88134287c058a026d24917
SHA-256: 83b8fd89f2e8886a4818756cbc58756c5cdb0af2ee4849c94f5c228ecf0f3d1f
openstack-nova-api-2012.2.3-7.el6ost.noarch.rpm
File outdated by:  RHBA-2013:0798
    MD5: fcb84fa641544a16263635f655c52ecc
SHA-256: 92ce23c1bc458ab812bd4907ce7878a9294d75006dbfb0d9cc899fa7c5a3cfcb
openstack-nova-cert-2012.2.3-7.el6ost.noarch.rpm
File outdated by:  RHBA-2013:0798
    MD5: 5277856b22ef386edacf2a54956434ef
SHA-256: fc66db7836c25debb48978be856029bc63264ecd55b2794a398f48cd24763ec3
openstack-nova-common-2012.2.3-7.el6ost.noarch.rpm
File outdated by:  RHBA-2013:0798
    MD5: 8d87c024b36a70b652c591190d815cb6
SHA-256: 3282fde85ae9e142276d9d4860fbfca9cdab66fdd1dc9ef2fe8f474b48a48e3e
openstack-nova-compute-2012.2.3-7.el6ost.noarch.rpm
File outdated by:  RHBA-2013:0798
    MD5: 62c29c2a53702256e10b1f56d4de6215
SHA-256: 5d7c8c21772dc3c8095a5c10bfacd7ccdbb7cceeb2ecbc723d570a5bba4f4a86
openstack-nova-console-2012.2.3-7.el6ost.noarch.rpm
File outdated by:  RHBA-2013:0798
    MD5: acb6cd1b8cf57fefe74d54a231085456
SHA-256: 8aa4feb731e1f70df367361e687adb06c89f07c4cad2ccf9d1585bbb45efd958
openstack-nova-doc-2012.2.3-7.el6ost.noarch.rpm
File outdated by:  RHBA-2013:0798
    MD5: 564e4b2926db9387210a104ae4dec336
SHA-256: 9dc3272dfcf3224c41b53845a8445dc73cd5d863035741e6e01ed4276904de7b
openstack-nova-network-2012.2.3-7.el6ost.noarch.rpm
File outdated by:  RHBA-2013:0798
    MD5: f852b61092b58c955081ee789cdcb4bb
SHA-256: d7ffefa05c1afc38920ef022d0d9bea5ea375d958348c8652e0ef9548792ff63
openstack-nova-objectstore-2012.2.3-7.el6ost.noarch.rpm
File outdated by:  RHBA-2013:0798
    MD5: 5f55ebcbf1066a4fedb8e0dd02a6c4e5
SHA-256: 1f8f6e57fbd63ca42b116cfdaac0f112c7768d9496122c8aaa7b636c577283c3
openstack-nova-scheduler-2012.2.3-7.el6ost.noarch.rpm
File outdated by:  RHBA-2013:0798
    MD5: 739341df1594d9ae153ab3fc35df397f
SHA-256: 8bdc871797aacd715f352945489fd0c0e9ac9e517d5fb7908556f2516f375bc4
openstack-nova-volume-2012.2.3-7.el6ost.noarch.rpm
File outdated by:  RHBA-2013:0798
    MD5: 92d0009044be7313469dec9f572e36e9
SHA-256: 89b6bac8f94e58f3f4df7fa77d017b987dcb01aeb849f2c4030e5a20c22638a6
python-nova-2012.2.3-7.el6ost.noarch.rpm
File outdated by:  RHBA-2013:0798
    MD5: 4902a9b619ff14edce0f5a6519c4aae8
SHA-256: 6ae041a3ee5498df1617a211cb3b5d48fc77f8502395edece2ede68347b3d371
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

887968 - RFE: Configurable hardware models for disk/nic based manual user input
891349 - Multi-process launching issue
910727 - Cannot spawn new machines. The scheduler.log says TypeError: can't compare datetime.datetime to NoneType
912284 - with resume_guests_state_on_host_boot=True rebooting host leaves VM's in Error state
915274 - Attempting to 'nova live-migrate' to a non-existing host, it fails, & the instance remains in a perpetual state of MIGRATING
915586 - CVE-2013-0335 OpenStack nova: VNC proxy can connect to the wrong VM
916174 - wrong quota_usages updated when admin deletes instance of common use
916176 - Add a namespace prefix to glance hardware properties used by libvirt
916615 - "preallocate_images" config directive should be added to nova.conf
917534 - Nova: SELinux AVC Errors for "iptables-save" / "iptables-restor".
919648 - CVE-2013-1838 Openstack Nova: DoS by allocating all Fixed IPs


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/