5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.077 Low
EPSS
Percentile
93.2%
The openstack-cinder packages provide OpenStack Volume (Cinder), which
provides services to manage and access block storage volumes for use by
virtual machine instances.
It was found that the fixes for CVE-2013-1664 and CVE-2013-1665, released
via RHSA-2013:0658, did not fully correct the issues in the Extensible
Markup Language (XML) parser used by Cinder. A remote attacker could use
this flaw to send a specially-crafted request to a Cinder API, causing
Cinder to consume an excessive amount of CPU and memory, or possibly crash.
(CVE-2013-4202)
A bug in the Cinder LVM driver prevented LVM snapshots from being securely
deleted in some cases, potentially leading to information disclosure to
other tenants. (CVE-2013-4183)
The CVE-2013-4202 issue was discovered by Grant Murphy of the Red Hat
Product Security Team.
Additionally, openstack-cinder has been rebased to the latest Grizzly
stable release 2013.1.3. (BZ#993094)
All users of openstack-cinder are advised to upgrade to these updated
packages, which correct these issues. After installing the updated
packages, the Cinder running services will be restarted automatically.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | noarch | openstack-cinder-doc | <Â 2013.1.3-2.el6ost | openstack-cinder-doc-2013.1.3-2.el6ost.noarch.rpm |
RedHat | 6 | noarch | openstack-cinder | <Â 2013.1.3-2.el6ost | openstack-cinder-2013.1.3-2.el6ost.noarch.rpm |
RedHat | 6 | src | openstack-cinder | <Â 2013.1.3-2.el6ost | openstack-cinder-2013.1.3-2.el6ost.src.rpm |
RedHat | 6 | noarch | python-cinder | <Â 2013.1.3-2.el6ost | python-cinder-2013.1.3-2.el6ost.noarch.rpm |