OSSA-2013-024: Resource limit circumvention in Nova private flavors

OSSA-2013-024: Resource limit circumvention in Nova private flavors¶

Date:: August 28, 2013
CVE:: CVE-2013-4278

Affects¶

Nova: All versions

Description¶

Ken’ichi Ohmichi from NEC reported that the fix for OSSA 2013-019 (CVE-2013-2256) was incomplete. Any tenant was still able to boot any other tenant’s private flavors by guessing a flavor ID. This potentially allowed circumvention of any resource limits enforced through the os-flavor-access:is_public property.

Patches¶

https://review.openstack.org/#/c/43296 (Folsom)
https://review.openstack.org/#/c/43281 (Grizzly)
https://review.openstack.org/#/c/42922 (Havana)

Credits¶

Ken’ichi Ohmichi from NEC (CVE-2013-4278)

References¶

this page last updated: 2024-10-03 16:29:15

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.