Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2013:0208 - Security Advisory
Issued:
2013-01-30
Updated:
2013-01-30

RHSA-2013:0208 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: openstack-nova security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated openstack-nova packages that fix two security issues and multiple
bugs are now available for Red Hat OpenStack Folsom.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Description

The openstack-nova packages provide OpenStack Compute (code name Nova), a
cloud computing fabric controller.

The openstack-nova packages have been upgraded to upstream version
2012.2.2, which provides a number of bug fixes over the previous version.

This update also fixes the following security issues:

It was found that the boot-from-volume feature in nova-volume did not
correctly validate if the user attempting to boot an image was permitted
to do so. An authenticated user could use this flaw to bypass
intended restrictions, allowing them to boot images they would otherwise
not have access to, exposing data stored in other users' images. This
issue did not affect configurations using the Cinder block storage
mechanism, which is the default in Red Hat OpenStack. (CVE-2013-0208)

When OpenStack Nova was configured to provide guest instances with libvirt
and said guests used LVM-backed ephemeral storage
("libvirt_images_type=lvm" in "/etc/nova/nova.conf"), the contents of the
physical volume were not wiped before the volume was returned to the system
for use by a different guest instance. This could lead to a new instance
being able to access files and data from a previous instance. This issue
did not affect configurations using the Cinder block storage mechanism,
which is the default in Red Hat OpenStack. (CVE-2012-5625)

Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Phil Day as the original reporter of
CVE-2013-0208, and Eric Windisch as the original reporter of CVE-2012-5625.

All users of openstack-nova are advised to upgrade to these updated
packages, which correct these issues. After installing the updated
packages, the Nova running services will be restarted automatically.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

  • Red Hat OpenStack folsom x86_64

Fixes

  • BZ - 856263 - Fix libvirt auth callback to allow for use of libvirt client auth config files
  • BZ - 881810 - When Installing openstack-nova, The package python-keystone should be installed by dependency.
  • BZ - 884293 - CVE-2012-5625 OpenStack Nova: Information leak in libvirt LVM-backed instances
  • BZ - 887303 - Change default networking type to virtio
  • BZ - 902629 - CVE-2013-0208 openstack-nova: Boot from volume allows access to random volumes

CVEs

  • CVE-2012-5625
  • CVE-2013-0208

References

  • https://access.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack folsom

SRPM
openstack-nova-2012.2.2-8.el6ost.src.rpm SHA-256: 1530a44154c49b0ccf9c6c5016bc7ce31d0883ff795a1866723fd1001dcdba50
x86_64
openstack-nova-2012.2.2-8.el6ost.noarch.rpm SHA-256: 4a81dd4d5b92a13fd2bd4b84ee5a2e4202e47d00e7fe3c1505d862bd87f20d81
openstack-nova-api-2012.2.2-8.el6ost.noarch.rpm SHA-256: 0bd981a2777cd6b2aec37f8f0e4357ed9020a2ce2d42b24b6208abf83aa1083e
openstack-nova-cert-2012.2.2-8.el6ost.noarch.rpm SHA-256: 2a0511f5a62be750c01e3ecaf84a3d6ed303f9e2b7977dc2bf56ed5a155a4fb9
openstack-nova-common-2012.2.2-8.el6ost.noarch.rpm SHA-256: 780431d67d125ac7ed18aebb5246d8509591f0e776d8f33b85aab31b983b1018
openstack-nova-compute-2012.2.2-8.el6ost.noarch.rpm SHA-256: 2fe1439eb354434d67bd40176d69ecb154220ee6947ea38d4142be78489f968e
openstack-nova-console-2012.2.2-8.el6ost.noarch.rpm SHA-256: f5b5b8082ac0efc2df93db1bd8e0aea5416dff13bfc297b51ff9148351ff2a15
openstack-nova-doc-2012.2.2-8.el6ost.noarch.rpm SHA-256: bc490daf0ef4c8f4b791248d7fe6ce096125dd86b51f09b19d85f2dc39428640
openstack-nova-network-2012.2.2-8.el6ost.noarch.rpm SHA-256: db7e04418b402c4f6b7332cbb91d407b5007c36f606bbc4fb0f5c67dd9a538c5
openstack-nova-objectstore-2012.2.2-8.el6ost.noarch.rpm SHA-256: 31bfae358d42f7dd3039d3d66f0a94d0c3999c5d56f025b236b10ec91095926b
openstack-nova-scheduler-2012.2.2-8.el6ost.noarch.rpm SHA-256: b1d7e8e515c3d4ae06fce6a9700fb337552651cb395375e2839788aea8db2800
openstack-nova-volume-2012.2.2-8.el6ost.noarch.rpm SHA-256: e7d89885c9658e3dde2e988b420c016bfd46aa8b43240ea35f36c0a167dc9509
python-nova-2012.2.2-8.el6ost.noarch.rpm SHA-256: c9932fc7c6f4199cb818f3eba64f5ddba8276519f17b83f91e3f9d1819a92f57

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2022 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter