Executive Summary
| Summary | |
|---|---|
| Title | Cinder vulnerabilities |
| Informations | |||
|---|---|---|---|
| Name | USN-2005-1 | First vendor Publication | 2013-10-23 |
| Vendor | Ubuntu | Last vendor Modification | 2013-10-23 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 4.3 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.04 Summary: Cinder could be made to crash or expose sensitive information. Software Description: - cinder: OpenStack storage service Details: Rongze Zhu discovered that the Cinder LVM driver did not zero out data when deleting snapshots. This could expose sensitive information to authenticated users when subsequent servers use the volume. (CVE-2013-4183) Grant Murphy discovered that Cinder would allow XML entity processing. A remote unauthenticated attacker could exploit this using the Cinder API to cause a denial of service via resource exhaustion. (CVE-2013-4179, CVE-2013-4202) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.04: In general, a standard system update will make all the necessary changes. References: Package Information: |
Original Source
| Url : http://www.ubuntu.com/usn/USN-2005-1 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 33 % | CWE-399 | Resource Management Errors |
| 33 % | CWE-200 | Information Exposure |
| 33 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:18683 | |||
| Oval ID: | oval:org.mitre.oval:def:18683 | ||
| Title: | USN-2005-1 -- cinder vulnerabilities | ||
| Description: | Cinder could be made to crash or expose sensitive information. | ||
| Family: | unix | Class: | patch |
| Reference(s): | USN-2005-1 CVE-2013-4183 CVE-2013-4179 CVE-2013-4202 | Version: | 5 |
| Platform(s): | Ubuntu 13.04 | Product(s): | cinder |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 6 | |
| Application | 1 | |
| Application | 3 | |
| Os | 1 |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2013-10-24 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2000-1.nasl - Type : ACT_GATHER_INFO |
| 2013-10-24 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2005-1.nasl - Type : ACT_GATHER_INFO |
| 2013-09-05 | Name : The remote Fedora host is missing a security update. File : fedora_2013-15373.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 12:02:40 |
|
| 2013-10-24 00:18:47 |
|
