5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
openstack-nova is vulnerable to denial of service (DoS) attacks. The vulnerability exists as the XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.
blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
bugs.python.org/issue17239
lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html
rhn.redhat.com/errata/RHSA-2013-0657.html
rhn.redhat.com/errata/RHSA-2013-0658.html
rhn.redhat.com/errata/RHSA-2013-0670.html
ubuntu.com/usn/usn-1757-1
www.openwall.com/lists/oss-security/2013/02/19/2
www.openwall.com/lists/oss-security/2013/02/19/4
access.redhat.com/security/updates/classification/#moderate
bugs.launchpad.net/nova/+bug/1100282
bugzilla.redhat.com/show_bug.cgi?id=889868
bugzilla.redhat.com/show_bug.cgi?id=890512
bugzilla.redhat.com/show_bug.cgi?id=891347
bugzilla.redhat.com/show_bug.cgi?id=891420
bugzilla.redhat.com/show_bug.cgi?id=902409
bugzilla.redhat.com/show_bug.cgi?id=905113
bugzilla.redhat.com/show_bug.cgi?id=906783
bugzilla.redhat.com/show_bug.cgi?id=907178
bugzilla.redhat.com/show_bug.cgi?id=908373
bugzilla.redhat.com/show_bug.cgi?id=910224
bugzilla.redhat.com/show_bug.cgi?id=911103
bugzilla.redhat.com/show_bug.cgi?id=912384
bugzilla.redhat.com/show_bug.cgi?id=913613
bugzilla.redhat.com/show_bug.cgi?id=914759
bugzilla.redhat.com/show_bug.cgi?id=916241
rhn.redhat.com/errata/RHBA-2013-0618.html
rhn.redhat.com/errata/RHSA-2013-0657.html
rhn.redhat.com/errata/RHSA-2013-0658.html