848825 – (CVE-2013-4497) VUL-0: CVE-2013-4497: openstack-nova: XenAPI security groups not kept through migrate or resize

Bug 848825 (CVE-2013-4497) - VUL-0: CVE-2013-4497: openstack-nova: XenAPI security groups not kept through migrate or resize

Summary: VUL-0: CVE-2013-4497: openstack-nova: XenAPI security groups not kept through...

Status:	RESOLVED FIXED
Duplicates (1):	851391 (view as bug list)

Alias:	CVE-2013-4497

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Deadline:	2013-12-31
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	.
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-11-04 09:54 UTC by Victor Pereira
Modified:	2014-01-28 15:05 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2013-11-04 09:54:08 UTC

CVE-2013-4497

Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of
vulnerabilities in OpenStack Nova. When migrating or resizing an
instance, including live migration, existing security groups may not
be reapplied after the operation completes. This can lead to
unintentional network exposure for virtual machines. Only setups
using the XenAPI backend are affected.

References:
http://comments.gmane.org/gmane.comp.security.oss.general/11406
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4497
https://bugzilla.redhat.com/show_bug.cgi?id=1026171

Comment 1 Swamp Workflow Management 2013-11-05 23:00:08 UTC

bugbot adjusting priority

Comment 2 Marcus Meissner 2013-11-21 13:59:49 UTC

*** Bug 851391 has been marked as a duplicate of this bug. ***

Comment 3 Vincent Untz 2013-11-21 14:46:06 UTC

Sascha: here are the latest security issues we have.

Comment 4 Vincent Untz 2013-11-21 14:50:47 UTC

We don't use the XenAPI backend as part of SUSE Cloud, but it's probably a good idea to still ship the fix if possible in case some customer abuses our packages...

Comment 6 Sascha Peilicke 2013-12-06 13:32:14 UTC

sr#29793

Comment 7 Swamp Workflow Management 2013-12-17 09:37:23 UTC

The SWAMPID for this issue is 55537.
This issue was rated as moderate.
Please submit fixed packages until 2013-12-31.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 8 Sebastian Krahmer 2014-01-28 08:56:18 UTC

released

Comment 9 Swamp Workflow Management 2014-01-28 11:59:32 UTC

Update released for: openstack-nova, openstack-nova-api, openstack-nova-cells, openstack-nova-cert, openstack-nova-compute, openstack-nova-conductor, openstack-nova-console, openstack-nova-consoleauth, openstack-nova-network, openstack-nova-novncproxy, openstack-nova-objectstore, openstack-nova-scheduler, openstack-nova-test, openstack-nova-vncproxy, openstack-nova-volume, python-nova
Products:
SUSE-CLOUD 2.0 (x86_64)

Comment 10 Swamp Workflow Management 2014-01-28 15:05:30 UTC

SUSE-SU-2014:0149-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 847648,848825
CVE References: CVE-2013-4463,CVE-2013-4497
Sources used:
SUSE Cloud 2.0 (src):    openstack-nova-2013.1.5.a17.g4655df1-0.7.1