Ubuntu 13.04 : cinder vulnerabilities (USN-2005-1)

Ubuntu Security Notice (C) 2013 Canonical, Inc. / NASL script (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Rongze Zhu discovered that the Cinder LVM driver did not zero out data
when deleting snapshots. This could expose sensitive information to
authenticated users when subsequent servers use the volume.
(CVE-2013-4183)

Grant Murphy discovered that Cinder would allow XML entity processing.
A remote unauthenticated attacker could exploit this using the Cinder
API to cause a denial of service via resource exhaustion.
(CVE-2013-4179, CVE-2013-4202).

Solution :

Update the affected python-cinder package.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 70584 ()

Bugtraq ID: 61689
61692
61693

CVE ID: CVE-2013-4179
CVE-2013-4183
CVE-2013-4202