OSSA-2014-032: Nova VMware driver still leaks rescued images

OSSA-2014-032: Nova VMware driver still leaks rescued images¶

Date:: October 02, 2014
CVE:: CVE-2014-3608

Affects¶

Nova: up to 2014.1.2

Description¶

Garth Mollett from Red Hat reported an incomplete fix to OSSA-2014-017 (CVE-2014-2573), a vulnerability affecting Nova. If an authenticated user places an instance into rescue, and then issues a suspend command it will cause the instance to enter an ERROR state. Nova does not clean up an instance in this state correctly upon deletion. An attacker can use this to launch a denial of service attack. Only setups using the Nova VMware driver are affected by this flaw.

Patches¶

https://review.openstack.org/109624 (Icehouse)
https://review.openstack.org/94281 (Juno)

Credits¶

Garth Mollett from Red Hat (CVE-2014-3608)

References¶

this page last updated: 2024-10-03 16:29:15

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.