CVE-2014-2573

The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and then deleting the image.

CVSS v2.0 2.3 LOW

2.3^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:A/AC:M/Au:S/C:N/I:N/A:P

Exploitability : 4.4 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://www.openwall.com/lists/oss-security/2014/03/21/1
http://www.openwall.com/lists/oss-security/2014/03/21/2
https://bugs.launchpad.net/nova/+bug/1269418
http://secunia.com/advisories/57498	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openstack:compute:2013.2:::::::*
	cpe:2.3:a:openstack:compute:2013.2.2:::::::*
	cpe:2.3:a:openstack:compute:2013.2.1:::::::*

Information

Published : 2014-03-25 09:55

Updated : 2014-03-26 06:41

NVD link : CVE-2014-2573

Mitre link : CVE-2014-2573

JSON object : View

CWE

CWE-264

Permissions, Privileges, and Access Controls

Products Affected

openstack

compute

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.openwall.com/lists/oss-security/2014/03/21/1", "name": "[oss-security] 20140321 CVE request for vulnerability in OpenStack Nova", "tags": [], "refsource": "MLIST"}, {"url": "http://www.openwall.com/lists/oss-security/2014/03/21/2", "name": "[oss-security] 20140321 Re: CVE request for vulnerability in OpenStack Nova", "tags": [], "refsource": "MLIST"}, {"url": "https://bugs.launchpad.net/nova/+bug/1269418", "name": "https://bugs.launchpad.net/nova/+bug/1269418", "tags": [], "refsource": "CONFIRM"}, {"url": "http://secunia.com/advisories/57498", "name": "57498", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and then deleting the image."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-264"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-2573", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 2.3, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:P", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 4.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2014-03-25T16:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:openstack:compute:2013.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:openstack:compute:2013.2.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:openstack:compute:2013.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2014-03-26T13:41Z"}

2.3 /10