[VIM] CVE-2013-6419 / OpenStack Nova & Neutron - interaction error

Christey, Steven M. coley at mitre.org
Thu Jan 2 14:15:02 CST 2014

http://www.openwall.com/lists/oss-security/2013/12/11/8 / OSSA 2013-033

The initial description of the issue can be somewhat confusing because it seems to cover multiple products.  For CVE, we investigated whether there was a shared-codebase issue (one ID) or not (two IDs).  With coordination help by Kurt Seifried, we received the following quote from Jeremy Stanley of upstream OpenStack:

"The vulnerability was in the way those two components were
designed to interact, so to patch it we had to make changes to both
ends of the faulty communication channel to support the new
mechanism. The litmus test for whether this is two vulnerabilities
is that you're not vulnerable when running the components
individually--only if you run them together."

At least for us, we may characterize this as an "interaction error" as opposed to the same error existing in multiple products, as implied by some vuln sources.

- Steve

More information about the VIM mailing list