CVE-2013-4469 — OpenStack Compute (Nova) Denial of service due to improper validation of virtual

Description

OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when use_cow_images is set to False, does not verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) by transferring an image with a large virtual size that does not contain a large amount of data from Glance. NOTE: this issue is due to an incomplete fix for CVE-2013-2096.

How to fix CVE-2013-4469

To remediate CVE-2013-4469, upgrade the affected package to a fixed version below.

—upgrade to 2013.2-3 or later
—upgrade to 12.0.0a0 or later

Is CVE-2013-4469 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2013.2-3
from 0, < 12.0.0a0

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4469
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4469
PATCHgithub.com/openstack/nova
WEBbugs.launchpad.net/nova/+bug/1206081
WEB