Openstack Havana vulnerabilities

CVE-2013-6419 [MEDIUM] CWE-200 CVE-2013-6419: Interaction error in OpenStack Nova and Neutron before Havana 2013.2.1 and icehouse-1 does not valid Interaction error in OpenStack Nova and Neutron before Havana 2013.2.1 and icehouse-1 does not validate the instance ID of the tenant making a request, which allows remote tenants to obtain sensitive metadata by spoofing the device ID that is bound to a port, which is not properly handled by (1) api/metadata/handler.py in Nova and (2) the neutron-meta

CVE-2013-2030 [LOW] CWE-264 CVE-2013-2030: keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure tem keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora.

CVE-2013-4497 [MEDIUM] CWE-264 CVE-2013-4497: The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Havana before 2013.2 does not pr The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Havana before 2013.2 does not properly apply security groups (1) when resizing an image or (2) during live migration, which allows remote attackers to bypass intended restrictions.

CVE-2013-4179 [MEDIUM] CVE-2013-4179: The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3, Havana before havana-3, a The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3, Havana before havana-3, and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.