Executive Summary
Summary | |
---|---|
Title | OpenStack Nova vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-2247-1 | First vendor Publication | 2014-06-17 |
Vendor | Ubuntu | Last vendor Modification | 2014-06-17 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 7.1 | Attack Range | Network |
Cvss Impact Score | 6.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 13.10 - Ubuntu 12.04 LTS Summary: Several security issues were fixed in OpenStack Nova. Software Description: - nova: OpenStack Compute cloud infrastructure Details: Darragh O'Reilly discovered that OpenStack Nova did not properly set up its sudo configuration. If a different flaw was found in OpenStack Nova, this vulnerability could be used to escalate privileges. This issue only affected Ubuntu 13.10 and Ubuntu 14.04 LTS. (CVE-2013-1068) Bernhard M. Wiedemann and Pedraig Brady discovered that OpenStack Nova did not properly verify the virtual size of a QCOW2 images. A remote authenticated attacker could exploit this to create a denial of service via disk consumption. This issue did not affect Ubuntu 14.04 LTS. (CVE-2013-4463, CVE-2013-4469) JuanFra Rodriguez Cardoso discovered that OpenStack Nova did not enforce SSL connections when Nova was configured to use QPid and qpid_protocol is set to 'ssl'. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. Ubuntu does not use QPid with Nova by default. This issue did not affect Ubuntu 14.04 LTS. (CVE-2013-6491) Loganathan Parthipan discovered that OpenStack Nova did not properly create expected files during KVM live block migration. A remote authenticated attacker could exploit this to obtain root disk snapshot contents via ephemeral storage. This issue did not affect Ubuntu 14.04 LTS. (CVE-2013-7130) Stanislaw Pitucha discovered that OpenStack Nova did not enforce the image format when rescuing an instance. A remote authenticated attacker could exploit this to read host files. In the default installation, attackers would be isolated by the libvirt guest AppArmor profile. This issue only affected Ubuntu 13.10. (CVE-2014-0134) Mark Heckmann discovered that OpenStack Nova did not enforce RBAC policy when adding security group rules via the EC2 API. A remote authenticated user could exploit this to gain unintended access to this API. This issue only affected Ubuntu 13.10. (CVE-2014-0167) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: Ubuntu 13.10: Ubuntu 12.04 LTS: In general, a standard system update will make all the necessary changes. References: Package Information: https://launchpad.net/ubuntu/+source/nova/2012.1.3+stable-20130423-e52e6912-0ubuntu1.4 |
Original Source
Url : http://www.ubuntu.com/usn/USN-2247-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
29 % | CWE-399 | Resource Management Errors |
29 % | CWE-264 | Permissions, Privileges, and Access Controls |
29 % | CWE-200 | Information Exposure |
14 % | CWE-310 | Cryptographic Issues |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:24438 | |||
Oval ID: | oval:org.mitre.oval:def:24438 | ||
Title: | USN-2247-1 -- nova vulnerabilities | ||
Description: | Several security issues were fixed in OpenStack Nova. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2247-1 CVE-2013-1068 CVE-2013-4463 CVE-2013-4469 CVE-2013-6491 CVE-2013-7130 CVE-2014-0134 CVE-2014-0167 | Version: | 3 |
Platform(s): | Ubuntu 14.04 Ubuntu 13.10 Ubuntu 12.04 | Product(s): | nova |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24611 | |||
Oval ID: | oval:org.mitre.oval:def:24611 | ||
Title: | USN-2248-1 -- cinder vulnerability | ||
Description: | OpenStack Cinder could be made to run programs as an administrator under certain conditions. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2248-1 CVE-2013-1068 | Version: | 3 |
Platform(s): | Ubuntu 14.04 Ubuntu 13.10 | Product(s): | cinder |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24624 | |||
Oval ID: | oval:org.mitre.oval:def:24624 | ||
Title: | USN-2208-1 -- cinder vulnerability | ||
Description: | OpenStack Cinder could be made to expose sensitive information over the network. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2208-1 CVE-2013-6491 | Version: | 5 |
Platform(s): | Ubuntu 12.10 | Product(s): | cinder |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:24757 | |||
Oval ID: | oval:org.mitre.oval:def:24757 | ||
Title: | USN-2208-2 -- quantum vulnerability | ||
Description: | OpenStack Quantum could be made to expose sensitive information over the network. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2208-2 CVE-2013-6491 | Version: | 5 |
Platform(s): | Ubuntu 12.10 | Product(s): | quantum |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application |
| 9 |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Os | 2 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-07-14 | Name : The remote Fedora host is missing a security update. File : fedora_2014-7954.nasl - Type : ACT_GATHER_INFO |
2014-06-19 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2248-1.nasl - Type : ACT_GATHER_INFO |
2014-06-18 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2247-1.nasl - Type : ACT_GATHER_INFO |
2014-05-07 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2208-1.nasl - Type : ACT_GATHER_INFO |
2014-05-07 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2208-2.nasl - Type : ACT_GATHER_INFO |
2014-02-05 | Name : The remote Fedora host is missing a security update. File : fedora_2014-1463.nasl - Type : ACT_GATHER_INFO |
2014-02-05 | Name : The remote Fedora host is missing a security update. File : fedora_2014-1516.nasl - Type : ACT_GATHER_INFO |
2013-12-14 | Name : The remote Fedora host is missing a security update. File : fedora_2013-22667.nasl - Type : ACT_GATHER_INFO |
2013-12-12 | Name : The remote Fedora host is missing a security update. File : fedora_2013-22693.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-06-19 21:29:00 |
|
2014-06-19 13:23:03 |
|
2014-06-18 00:21:35 |
|