CVE-2013-4185 — OpenStack Nova Denial of Service in network source security groups

Description

Algorithmic complexity vulnerability in OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-3 does not properly handle network source security group policy updates, which allows remote authenticated users to cause a denial of service (nova-network consumption) via a large number of server-creation operations, which triggers a large number of update requests.

How to fix CVE-2013-4185

To remediate CVE-2013-4185, upgrade the affected package to a fixed version below.

Debian/nova—upgrade to 2013.1.2-3 or later
—upgrade to 12.0.0a0 or later

Is CVE-2013-4185 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2013.1.2-3
from 0, < 12.0.0a0

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4185
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4185
PATCHgithub.com/openstack/nova
WEBgithub.com/openstack/nova/commit/52ad911963da4095b213952dee3a430fe0c4c30f