(RHSA-2013:0657) Moderate: openstack-nova security, bug fix, and enhancement update

ID RHSA-2013:0657
Type redhat
Reporter RedHat
Modified 2018-06-09T14:17:33


The openstack-nova packages provide OpenStack Compute (code name Nova), which provides services for provisioning, managing, and using virtual machine instances.

A denial of service flaw was found in the Extensible Markup Language (XML) parser used by Nova. A remote attacker could use this flaw to send a specially-crafted request to a Nova API, causing Nova to consume an excessive amount of CPU and memory. (CVE-2013-1664)

A flaw was found in the XML parser used by Nova. If a remote attacker sent a specially-crafted request to a Nova API, it could cause Nova to connect to external entities, causing a large amount of system load, or allow an attacker to read files on the Nova server that are accessible to the user running Nova. (CVE-2013-1665)

This update also fixes several bugs. The following are noteworthy changes:

  • In single node, all-in-one environments where all services (such as Nova, Glance, and Keystone) are installed and run on a single system, after a host reboot, some instances may have automatically started again, but soon after, automatically shut down. "Instance shutdown by itself. Calling the stop API" messages were logged to Nova logs (in "/var/log/nova/") in these cases. (BZ#890512)

  • In environments using Quantum, after creating a network with two subnets, removing an IP address (using "nova remove-fixed-ip"), and then adding a fixed address (using "nova add-fixed-ip"), resulted in the virtual machine having two IP addresses. (BZ#908373)

  • Prior to this update, after converting a downloaded image to raw, the original, downloaded image (a large .part file) was not removed. After installing this update, the following three options must be configured in "/etc/nova/nova.conf" to correctly resolve this issue:

remove_unused_base_images=true remove_unused_resized_minimum_age_seconds=60 remove_unused_original_minimum_age_seconds=60


Additionally, this update adds the following enhancement:

  • The RHSA-2013:0658 openstack-cinder update implemented a Cinder driver that allows Red Hat Storage to be used as a back-end for Cinder volumes. This update adds a libvirt connector to Nova, which is a requirement for using the new Cinder driver. Note that you must manually install the glusterfs and glusterfs-fuse packages on the Nova nodes.

Additionally, when running Security-Enhanced Linux (SELinux) in Enforcing mode, the latest selinux-policy packages provided by RHBA-2013:0618 must be installed, otherwise denials will be logged when attempting to mount Red Hat Storage volumes. (BZ#912384)

All users of openstack-nova are advised to upgrade to these updated packages, which correct these issues and add this enhancement. After installing the updated packages, the Nova running services will be restarted automatically.