1
PublicDateAtUSN: 2013-09-16
2
Candidate: CVE-2013-4278
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4278
6
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4278
7
https://usn.ubuntu.com/usn/usn-2000-1
9
The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly,
10
and Havana does not properly enforce the os-flavor-access:is_public
11
property, which allows remote authenticated users to boot arbitrary flavors
12
by guessing the flavor id. NOTE: this issue is due to an incomplete fix
16
sarnold> An incomplete fix for CVE-2013-2256 caused this vulnerability
17
jdstrand> The version of nova in Ubuntu 13.04 in raring-updates needs this fix
18
jdstrand> flavor_access.py API extension not available on Essex (Ubuntu 12.04
20
jdstrand> Ubuntu 12.10 still vulnerable to CVE-2013-2256 so it is not
23
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720602
24
https://bugs.launchpad.net/ossa/+bug/1212179
26
Discovered-by: Ken'ichi Ohmichi
30
upstream: https://github.com/openstack/nova/commit/4054cc4a22a1fea997dec76afb5646fd6c6ea6b9 (havana)
31
upstream: http://github.com/openstack/nova/commit/8b686195afe7e6dfb46c56c1ef2fe9c993d8e495 (grizzly)
32
upstream: http://github.com/openstack/nova/commit/6825959560e06725d26625fd21f5c0b78b305492 (folsom)
35
precise_nova: not-affected (code-not-present)
36
quantal_nova: not-affected
37
raring_nova: released (1:2013.1.3-0ubuntu1.1)
38
saucy_nova: not-affected (1:2013.2~rc2-0ubuntu1)
39
devel_nova: not-affected (1:2013.2~rc2-0ubuntu1)