Description
The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2573.
CVSS vector
AV:A/AC:L/C:N/I:N/A:PExploitability: 5.1 | Impact: 2.9Complexity: Low
Confidentiality: None
Integrity: None
Affected Packages4 packages
▶Debiannova< 2014.1.3-1+3 ▶Ubuntunova< 1:2014.1.3-0ubuntu1.1 🔴Vulnerability Details
5OSVOpenStack Compute (Nova)'s VMWare driver vulnerable to denial of service↗2022-05-14 GHSAOpenStack Compute (Nova)'s VMWare driver vulnerable to denial of service↗2022-05-14 OSVnova vulnerabilities↗2014-11-11 CVEListCVE-2014-3608: The VMWare driver in OpenStack Compute (Nova) before 2014↗2014-10-06 OSVCVE-2014-3608: The VMWare driver in OpenStack Compute (Nova) before 2014↗2014-10-06 📋Vendor Advisories
3UbuntuOpenStack Nova vulnerabilities↗2014-11-11 Red Hatopenstack-nova: incomplete fix for CVE-2014-2573, Nova VMware driver still leaks rescued images↗2014-10-02 DebianCVE-2014-3608: nova - The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote auth...↗2014 💬Community
2BugzillaCVE-2014-3608 openstack-nova: incomplete fix for CVE-2014-2573, Nova VMware driver still leaks rescued images [fedora-all]↗2014-10-03 BugzillaCVE-2014-3608 openstack-nova: incomplete fix for CVE-2014-2573, Nova VMware driver still leaks rescued images↗2014-10-01