From ${URL} : OpenStack Security Advisory: 2013-023 CVE: CVE-2013-4179, CVE-2013-4202 Date: August 8, 2013 Title: Denial of Service using XML entities in Nova/Cinder extensions Reporter: Grant Murphy (Red Hat) Products: Nova, Cinder Affects: Grizzly and later Description: Grant Murphy from Red Hat reported that vulnerabilities in XML request parsers were not fully patched in OSSA 2013-004. By leveraging XML entity expansion in specific extensions, an unauthenticated attacker may still consume excessive resources on the Nova (CVE-2013-4179) or Cinder (CVE-2013-4202) API servers, resulting in a denial of service and potentially a crash. Only Nova setups making use of the security group extension in Grizzly are affected. Only Cinder setups making use of the backups or volume transfer API extension in Grizzly are affected. Havana (development branch) fixes: Nova: https://review.openstack.org/40879 Cinder: https://review.openstack.org/40881 Grizzly fixes: Nova: https://review.openstack.org/40880 Cinder: https://review.openstack.org/40883 Note: The Nova and Cinder Grizzly fixes will be included in the upcoming 2013.1.3 stable release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4202 https://launchpad.net/bugs/1190229 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
cinder and nova have been updated to 2013.1.3, all bad versions removed from tree, please close.
I'm removing myself as I see this as closable, re-add me if you don't think so.
Okay, closing.
CVE-2013-4179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4179): The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3, Havana before havana-3, and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.
CVE-2013-4202 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4202): The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.