4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
The openstack-cinder packages provide OpenStack Volume (Cinder), which provides services to manage and access block storage volumes for use by virtual machine instances. It was found that the fixes for CVE-2013-1664 and CVE-2013-1665, released via RHSA-2013:0658, did not fully correct the issues in the Extensible Markup Language (XML) parser used by Cinder. A remote attacker could use this flaw to send a specially-crafted request to a Cinder API, causing Cinder to consume an excessive amount of CPU and memory, or possibly crash. (CVE-2013-4202) A bug in the Cinder LVM driver prevented LVM snapshots from being securely deleted in some cases, potentially leading to information disclosure to other tenants. (CVE-2013-4183) The CVE-2013-4202 issue was discovered by Grant Murphy of the Red Hat Product Security Team. Additionally, openstack-cinder has been rebased to the latest Grizzly stable release 2013.1.3. (BZ#993094) All users of openstack-cinder are advised to upgrade to these updated packages, which correct these issues. After installing the updated packages, the Cinder running services will be restarted automatically.