CVE-2013-4261

Publication date 22 August 2013

Last updated 24 July 2024

OpenStack Compute (Nova) Folsom, Grizzly, and earlier, when using Apache Qpid for the RPC backend, does not properly handle errors that occur during messaging, which allows remote attackers to cause a denial of service (connection pool consumption), as demonstrated using multiple requests that send long strings to an instance console and retrieving the console log.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
nova	13.10 saucy	Not affected
	13.04 raring	Fixed 1:2013.1.3-0ubuntu1.1
	12.10 quantal	Ignored
	12.04 LTS precise	Ignored
	10.04 LTS lucid	Not in release

How can I get the fixes?
What do statuses mean?

Notes

jdstrand

Ubuntu 13.04 has fix in raring-updates backward-compatibility breaking change deemed too intrusive for stable release update

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2000-1
Nova vulnerabilities
23 October 2013

Other references

https://bugzilla.redhat.com/show_bug.cgi?id=999164
https://bugs.launchpad.net/nova/+bug/1215091
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4261
https://bugs.launchpad.net/nova/+bug/1175808
https://www.cve.org/CVERecord?id=CVE-2013-4261