CVE-2013-4497

NameCVE-2013-4497
DescriptionThe XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Havana before 2013.2 does not properly apply security groups (1) when resizing an image or (2) during live migration, which allows remote attackers to bypass intended restrictions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nova (PTS)jessie2014.1.3-11fixed
stretch (security), stretch2:14.0.0-4+deb9u1fixed
sid2:18.0.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
novasource(unstable)2013.2-1medium
novasourcewheezy(not affected)

Notes

[wheezy] - nova <not-affected> (OpenStack Essex is not affected)
https://bugs.launchpad.net/nova/+bug/1073306
https://github.com/openstack/nova/commit/ba0d007fb78bd1182c3c0b808dbd7ccc84640e80
https://bugs.launchpad.net/nova/+bug/1202266
https://github.com/openstack/nova/commit/5cced7a6dd32d231c606e25dbf762d199bf9cca7

Search for package or bug name: Reporting problems