Ubuntu Security Notice 2407-1 - Garth Mollett discovered that OpenStack Nova did not properly clean up an instance when using rescue mode with the VMWare driver. A remove authenticated user could exploit this to bypass intended quota limits. By default, Ubuntu does not use the VMWare driver. Amrith Kumar discovered that OpenStack Nova did not properly sanitize log message contents. Under certain circumstances, a local attacker with read access to Nova log files could obtain access to sensitive information. Various other issues were also addressed.
3c7205b8ebb855db59f87c5f3f505c7722720259119b91f95b3964de02a9831a
============================================================================
Ubuntu Security Notice USN-2407-1
November 11, 2014
nova vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
OpenStack Nova could be made to expose sensitive information.
Software Description:
- nova: OpenStack Compute cloud infrastructure
Details:
Garth Mollett discovered that OpenStack Nova did not properly clean up an
instance when using rescue mode with the VMWare driver. A remove
authenticated user could exploit this to bypass intended quota limits. By
default, Ubuntu does not use the VMWare driver. (CVE-2014-3608)
Amrith Kumar discovered that OpenStack Nova did not properly sanitize log
message contents. Under certain circumstances, a local attacker with read
access to Nova log files could obtain access to sensitive information.
(CVE-2014-7230)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
python-nova 1:2014.1.3-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-2407-1
CVE-2014-3608, CVE-2014-7230
Package Information:
https://launchpad.net/ubuntu/+source/nova/1:2014.1.3-0ubuntu1.1