CVE-2013-4261

NameCVE-2013-4261
DescriptionOpenStack Compute (Nova) Folsom, Grizzly, and earlier, when using Apache Qpid for the RPC backend, does not properly handle errors that occur during messaging, which allows remote attackers to cause a denial of service (connection pool consumption), as demonstrated using multiple requests that send long strings to an instance console and retrieving the console log.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nova (PTS)jessie2014.1.3-11fixed
stretch (security), stretch2:14.0.0-4+deb9u1fixed
sid2:18.0.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
novasource(unstable)2013.2-1low

Notes

[wheezy] - nova <no-dsa> (Will be fixed in a point update)
https://bugs.launchpad.net/nova/+bug/1215091/comments/10 (relevant question for other components)
probably does not affect Essex/2012.1, see https://bugs.launchpad.net/nova/+bug/1215091/comments/6

Search for package or bug name: Reporting problems