CVE-2013-4497
First published: Tue Nov 05 2013(Updated: )
The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Havana before 2013.2 does not properly apply security groups (1) when resizing an image or (2) during live migration, which allows remote attackers to bypass intended restrictions.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/nova | <12.0.0a0 | 12.0.0a0 |
| OpenStack Havana | <=havana-3 | |
| OpenStack Havana | =havana-1 | |
| OpenStack Havana | =havana-2 | |
| OpenStack Grizzly | ||
| Red Hat OpenStack Folsom |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2013/11/03/2
- http://www.openwall.com/lists/oss-security/2013/11/03/3
- https://bugs.launchpad.net/nova/+bug/1073306
- https://bugs.launchpad.net/nova/+bug/1202266
- https://nvd.nist.gov/vuln/detail/CVE-2013-4497
- https://github.com/openstack/nova/commit/01de658210fd65171bfbf5450c93673b5ce0bd9e
- https://github.com/openstack/nova/commit/5cced7a6dd32d231c606e25dbf762d199bf9cca7
- https://github.com/openstack/nova/commit/ba0d007fb78bd1182c3c0b808dbd7ccc84640e80
- https://github.com/openstack/nova/commit/df2ea2e3acdede21b40d47b7adbeac04213d031b
- https://github.com/advisories/GHSA-27q4-38qf-m25h (Advisory)
Frequently Asked Questions
What is the severity of CVE-2013-4497?
CVE-2013-4497 is classified as a moderate severity vulnerability due to the potential for security group bypass during image resizing and live migration.
How do I fix CVE-2013-4497?
To fix CVE-2013-4497, you should upgrade your OpenStack Nova installation to version 12.0.0a0 or later.
What versions of OpenStack are affected by CVE-2013-4497?
CVE-2013-4497 affects OpenStack Compute (Nova) versions Folsom, Grizzly, and Havana before 2013.2.
What impact does CVE-2013-4497 have on OpenStack deployments?
The impact of CVE-2013-4497 allows remote attackers to bypass intended restrictions on security groups during certain operations.
Is there a workaround for CVE-2013-4497 until I can apply the fix?
There is no documented workaround for CVE-2013-4497; the best mitigation is to apply the patch as soon as possible.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-27q4-38qf-m25h
- alias/CVE-2013-4497
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/pip
- vendor/openstack
- canonical/openstack havana
- version/openstack havana/havana-3
- version/openstack havana/havana-1
- version/openstack havana/havana-2
- canonical/openstack grizzly
- canonical/red hat openstack folsom