5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.077 Low
EPSS
Percentile
93.2%
The openstack-cinder packages provide OpenStack Volume (code name Cinder),
which provides services to manage and access block storage volumes for use
by virtual machine instances.
A denial of service flaw was found in the Extensible Markup Language (XML)
parser used by Cinder. A remote attacker could use this flaw to send a
specially-crafted request to a Cinder API, causing Cinder to consume an
excessive amount of CPU and memory. (CVE-2013-1664)
A flaw was found in the XML parser used by Cinder. If a remote attacker
sent a specially-crafted request to a Cinder API, it could cause Cinder to
connect to external entities, causing a large amount of system load, or
allow an attacker to read files on the Cinder server that are accessible
to the user running Cinder. (CVE-2013-1665)
This update also adds the following enhancement:
All users of openstack-cinder are advised to upgrade to these updated
packages, which fix these issues and add this enhancement. After installing
the updated packages, the Cinder running services will be restarted
automatically.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | noarch | python-cinder | < 2012.2.3-4.el6ost | python-cinder-2012.2.3-4.el6ost.noarch.rpm |
RedHat | 6 | noarch | openstack-cinder-doc | < 2012.2.3-4.el6ost | openstack-cinder-doc-2012.2.3-4.el6ost.noarch.rpm |
RedHat | 6 | src | openstack-cinder | < 2012.2.3-4.el6ost | openstack-cinder-2012.2.3-4.el6ost.src.rpm |
RedHat | 6 | noarch | openstack-cinder | < 2012.2.3-4.el6ost | openstack-cinder-2012.2.3-4.el6ost.noarch.rpm |