Detections
Analytics

RHEL 6 : openstack-nova (RHSA-2014:0366)

high Nessus Plugin ID 234411

Language:

Synopsis

The remote Red Hat host is missing one or more security updates for openstack-nova.

Description

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2014:0366 advisory.

 OpenStack Compute (nova) launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform.
 Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances, managing networks, and controlling access through users and projects.

 A flaw was found in the way the libvirt driver handled short-lived disk back-up files on Compute nodes. An authenticated attacker could use this flaw to create a large number of such files, exhausting all available space on Compute node disks, and potentially causing a denial of service.
 Note that only Compute setups using the libvirt driver were affected.
 (CVE-2013-7048)

 It was discovered that the libvirt driver did not properly handle live migration of virtual machines. An authenticated attacker could use this flaw to gain access to a snapshot of a migrated virtual machine. Note that only setups using KVM live block migration were affected. (CVE-2013-7130)

 It was found that OpenStack Compute did not properly reapply existing security groups after migrating or resizing a virtual machine. This could cause virtual machine instances to be unintentionally exposed on the network. Note that only setups using the XenAPI back end were affected.
 (CVE-2013-4497)

 Red Hat would like to thank the OpenStack Project for reporting CVE-2013-7130. Upstream acknowledges Loganathan Parthipan as the original reporter of CVE-2013-7130.

 This update also fixes the following bug:

 * Prior to this update, the cache mechanism did not consider existing network interfaces when building the nework list. After any change in the network interfaces, only the interface modified last was shown when listing or getting the details of an instance. With this update, the cache mechanism considers all existing instances when it is being refreshed.
 (BZ#1038239)

 All openstack-nova users are advised to upgrade to these updated packages, which correct these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL openstack-nova package based on the guidance in RHSA-2014:0366.

See Also

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=1026171

https://bugzilla.redhat.com/show_bug.cgi?id=1038239

https://bugzilla.redhat.com/show_bug.cgi?id=1040786

https://bugzilla.redhat.com/show_bug.cgi?id=1055400

http://www.nessus.org/u?75731213

https://access.redhat.com/errata/RHSA-2014:0366

Plugin Details

Severity: High

ID: 234411

File Name: redhat-RHSA-2014-0366.nasl

Version: 1.1

Type: local

Agent: unix

Published: 4/15/2025

Updated: 4/15/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2013-7130

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 7.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:openstack-nova-common, p-cpe:/a:redhat:enterprise_linux:openstack-nova-compute, p-cpe:/a:redhat:enterprise_linux:openstack-nova-cells, cpe:/o:redhat:enterprise_linux:6, p-cpe:/a:redhat:enterprise_linux:openstack-nova-scheduler, p-cpe:/a:redhat:enterprise_linux:openstack-nova-objectstore, p-cpe:/a:redhat:enterprise_linux:openstack-nova, p-cpe:/a:redhat:enterprise_linux:openstack-nova-network, p-cpe:/a:redhat:enterprise_linux:python-nova, p-cpe:/a:redhat:enterprise_linux:openstack-nova-conductor, p-cpe:/a:redhat:enterprise_linux:openstack-nova-api, p-cpe:/a:redhat:enterprise_linux:openstack-nova-console, p-cpe:/a:redhat:enterprise_linux:openstack-nova-cert, p-cpe:/a:redhat:enterprise_linux:openstack-nova-doc

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/3/2014

Vulnerability Publication Date: 9/18/2013

Reference Information

CVE: CVE-2013-4497, CVE-2013-7048, CVE-2013-7130

RHSA: 2014:0366