CVE-2013-4463 - OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly verify the virtual size of a

CVE-2013-4463

Summary

OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) via a compressed QCOW2 image. NOTE: this issue is due to an incomplete fix for CVE-2013-2096.

References

Vulnerable Configurations

cpe:2.3:a:openstack:havana:-:*:*:*:*:*:*:*
cpe:2.3:a:openstack:havana:-:*:*:*:*:*:*:*
cpe:2.3:a:openstack:grizzly:-:*:*:*:*:*:*:*
cpe:2.3:a:openstack:grizzly:-:*:*:*:*:*:*:*
cpe:2.3:a:openstack:folsom:-:*:*:*:*:*:*:*
cpe:2.3:a:openstack:folsom:-:*:*:*:*:*:*:*

CVSS

Base:	2.1 (as of 13-02-2023 - 04:46)
Impact:
Exploitability:

CWE

CWE-399

CAPEC

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:L/AC:L/Au:N/C:N/I:N/A:P

redhat via4

advisories

rhsa

id	RHSA-2014:0112

rpms

openstack-nova-0:2013.1.4-4.el6ost
openstack-nova-api-0:2013.1.4-4.el6ost
openstack-nova-cells-0:2013.1.4-4.el6ost
openstack-nova-cert-0:2013.1.4-4.el6ost
openstack-nova-common-0:2013.1.4-4.el6ost
openstack-nova-compute-0:2013.1.4-4.el6ost
openstack-nova-conductor-0:2013.1.4-4.el6ost
openstack-nova-console-0:2013.1.4-4.el6ost
openstack-nova-doc-0:2013.1.4-4.el6ost
openstack-nova-network-0:2013.1.4-4.el6ost
openstack-nova-objectstore-0:2013.1.4-4.el6ost
openstack-nova-scheduler-0:2013.1.4-4.el6ost
python-nova-0:2013.1.4-4.el6ost

refmap via4

confirm	https://bugs.launchpad.net/nova/+bug/1206081
mlist	[oss-security] 20131031 [OSSA 2013-029] Potential Nova denial of service through compressed disk images (CVE-2013-4463, CVE-2013-4469)
ubuntu	USN-2247-1

Last major update

13-02-2023 - 04:46

Published

06-02-2014 - 05:44

Last modified

13-02-2023 - 04:46