date: 2013-11-14

id: OSSA-2013-030

title: 'XenAPI security groups not kept through migrate or resize'

description: 'Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of
  vulnerabilities in OpenStack Nova''s XenAPI hypervisor backend. When migrating or
  resizing an instance, including live migration, existing security groups may not
  be reapplied after the operation completes. This can lead to unintentional network
  exposure for virtual machines. Only setups using the XenAPI backend are affected.'

reference: http://lists.openstack.org/pipermail/openstack-announce/2013-November/000161.html

affected-products:

  - product: nova
    version: All supported versions prior to Havana

vulnerabilities:

  - cve-id: CVE-2013-4497
    impact-assessment:
      source: 'Red Hat Product Security'
      rating: low
      assessment:
        type: CVSS2
        score: 3.6
        detail: AV:N/AC:H/Au:S/C:P/I:P/A:N
    classification:
      source: 'Red Hat Product Security'
      type: CWE
      detail: TODO

reporters:

  - name: 'Chris Behrens'
    affiliation: Rackspace
    reported:
      - CVE-2013-4497

  - name: 'Vangelis Tasoulas'
    affiliation: UNKNOWN
    reported:
      - CVE-2013-4497

issues:

  links:
    - https://launchpad.net/bugs/1073306
    - https://launchpad.net/bugs/1202266

  type: launchpad

reviews:

  grizzly:
    - https://review.openstack.org/#/c/52987
    - https://review.openstack.org/#/c/52989

  type: gerrit