CVE-2014-3608 — OpenStack Compute (Nova)'s VMWare driver vulnerable to denial of service

Description

The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2573.

How to fix CVE-2014-3608

To remediate CVE-2014-3608, upgrade the affected package to a fixed version below.

Debian/nova—upgrade to 2014.1.3-1 or later
—upgrade to 2014.1.3 or later

Is CVE-2014-3608 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2014.1.3-1
from 0, < 2014.1.3

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3608
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-3608
PATCHopendev.org/openstack/nova
WEBrhn.redhat.com/errata/RHSA-2014-1781.html
WEBrhn.redhat.com