Moderate severityNVD Advisory· Published Oct 29, 2013· Updated Apr 29, 2026

CVE-2013-4185

Description

Algorithmic complexity vulnerability in OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-3 does not properly handle network source security group policy updates, which allows remote authenticated users to cause a denial of service (nova-network consumption) via a large number of server-creation operations, which triggers a large number of update requests.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
novaPyPI	< 12.0.0a0	12.0.0a0

Affected products

OpenStack/Compute
cpe:2.3:a:openstack:compute:*:*:*:*:*:*:*:*
Range: >=2013.1,<2013.1.3
Red Hat/Openstack
cpe:2.3:a:redhat:openstack:3.0:*:*:*:*:*:*:*

Patches

85aac0470435

Use cached nwinfo for secgroup rules

https://github.com/openstack/novaVishvananda IshayaJul 19, 2013via ghsa

commit

4 files changed · +11 −13

nova/db/sqlalchemy/api.py+2 −0 modified

@@ -3658,6 +3658,8 @@ def security_group_rule_get_by_security_group(context, security_group_id):
             filter_by(parent_group_id=security_group_id).
             options(joinedload_all('grantee_group.instances.'
                                    'system_metadata')).
+            options(joinedload('grantee_group.instances.'
+                               'info_cache')).
             all())

nova/tests/virt/libvirt/test_libvirt.py+3 −1 modified

@@ -4504,7 +4504,9 @@ def fake_iptables_execute(*cmd, **kwargs):
         from nova.network import linux_net
         linux_net.iptables_manager.execute = fake_iptables_execute
 
-        _fake_stub_out_get_nw_info(self.stubs, lambda *a, **kw: network_model)
+        from nova.compute import utils as compute_utils
+        self.stubs.Set(compute_utils, 'get_nw_info_for_instance',
+                       lambda instance: network_model)
 
         network_info = network_model.legacy()
         self.fw.prepare_instance_filter(instance_ref, network_info)

nova/tests/virt/xenapi/test_xenapi.py+3 −2 modified

@@ -2480,8 +2480,9 @@ def test_static_filters(self):
         network_model = fake_network.fake_get_instance_nw_info(self.stubs,
                                                       1, spectacular=True)
 
-        fake_network.stub_out_nw_api_get_instance_nw_info(self.stubs,
-                                      lambda *a, **kw: network_model)
+        from nova.compute import utils as compute_utils
+        self.stubs.Set(compute_utils, 'get_nw_info_for_instance',
+                       lambda instance: network_model)
 
         network_info = network_model.legacy()
         self.fw.prepare_instance_filter(instance_ref, network_info)

nova/virt/firewall.py+3 −10 modified

@@ -19,8 +19,8 @@
 
 from oslo.config import cfg
 
+from nova.compute import utils as compute_utils
 from nova import context
-from nova import network
 from nova.network import linux_net
 from nova.openstack.common.gettextutils import _
 from nova.openstack.common import importutils
@@ -415,16 +415,9 @@ def instance_rules(self, instance, network_info):
                     fw_rules += [' '.join(args)]
                 else:
                     if rule['grantee_group']:
-                        # FIXME(jkoelker) This needs to be ported up into
-                        #                 the compute manager which already
-                        #                 has access to a nw_api handle,
-                        #                 and should be the only one making
-                        #                 making rpc calls.
-                        nw_api = network.API()
                         for instance in rule['grantee_group']['instances']:
-                            nw_info = nw_api.get_instance_nw_info(
-                                ctxt,
-                                instance)
+                            nw_info = compute_utils.get_nw_info_for_instance(
+                                    instance)
 
                             ips = [ip['address']
                                 for ip in nw_info.fixed_ips()

d4ee081c5c0a

Use cached nwinfo for secgroup rules

https://github.com/openstack/novaVishvananda IshayaJul 19, 2013via ghsa

commit

4 files changed · +11 −12

nova/db/sqlalchemy/api.py+2 −0 modified

@@ -3649,6 +3649,8 @@ def security_group_rule_get_by_security_group(context, security_group_id,
     return _security_group_rule_get_query(context, session=session).\
             filter_by(parent_group_id=security_group_id).\
             options(joinedload_all('grantee_group.instances.instance_type')).\
+            options(joinedload('grantee_group.instances.'
+                               'info_cache')).\
             all()

nova/tests/test_libvirt.py+3 −1 modified

@@ -3240,7 +3240,9 @@ def fake_iptables_execute(*cmd, **kwargs):
         from nova.network import linux_net
         linux_net.iptables_manager.execute = fake_iptables_execute
 
-        _fake_stub_out_get_nw_info(self.stubs, lambda *a, **kw: network_model)
+        from nova.compute import utils as compute_utils
+        self.stubs.Set(compute_utils, 'get_nw_info_for_instance',
+                       lambda instance: network_model)
 
         network_info = network_model.legacy()
         self.fw.prepare_instance_filter(instance_ref, network_info)

nova/tests/test_xenapi.py+3 −2 modified

@@ -1690,8 +1690,9 @@ def test_static_filters(self):
         network_model = fake_network.fake_get_instance_nw_info(self.stubs,
                                                       1, spectacular=True)
 
-        fake_network.stub_out_nw_api_get_instance_nw_info(self.stubs,
-                                      lambda *a, **kw: network_model)
+        from nova.compute import utils as compute_utils
+        self.stubs.Set(compute_utils, 'get_nw_info_for_instance',
+                       lambda instance: network_model)
 
         network_info = network_model.legacy()
         self.fw.prepare_instance_filter(instance_ref, network_info)

nova/virt/firewall.py+3 −9 modified

@@ -17,10 +17,10 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from nova.compute import utils as compute_utils
 from nova import context
 from nova import db
 from nova import flags
-from nova import network
 from nova.network import linux_net
 from nova.openstack.common import cfg
 from nova.openstack.common import importutils
@@ -405,15 +405,9 @@ def instance_rules(self, instance, network_info):
                     fw_rules += [' '.join(args)]
                 else:
                     if rule['grantee_group']:
-                        # FIXME(jkoelker) This needs to be ported up into
-                        #                 the compute manager which already
-                        #                 has access to a nw_api handle,
-                        #                 and should be the only one making
-                        #                 making rpc calls.
-                        nw_api = network.API()
                         for instance in rule['grantee_group']['instances']:
-                            nw_info = nw_api.get_instance_nw_info(ctxt,
-                                                                  instance)
+                            nw_info = compute_utils.get_nw_info_for_instance(
+                                    instance)
 
                             ips = [ip['address']
                                 for ip in nw_info.fixed_ips()

52ad911963da

Use cached nwinfo for secgroup rules

https://github.com/openstack/novaVishvananda IshayaJul 19, 2013via ghsa

commit

4 files changed · +11 −16

nova/db/sqlalchemy/api.py+2 −0 modified

@@ -3231,6 +3231,8 @@ def security_group_rule_get_by_security_group(context, security_group_id,
             filter_by(parent_group_id=security_group_id).\
             options(joinedload_all('grantee_group.instances.'
                                    'system_metadata')).\
+            options(joinedload('grantee_group.instances.'
+                               'info_cache')).\
             all()

nova/tests/test_libvirt.py+3 −1 modified

@@ -3964,7 +3964,9 @@ def fake_iptables_execute(*cmd, **kwargs):
         from nova.network import linux_net
         linux_net.iptables_manager.execute = fake_iptables_execute
 
-        _fake_stub_out_get_nw_info(self.stubs, lambda *a, **kw: network_model)
+        from nova.compute import utils as compute_utils
+        self.stubs.Set(compute_utils, 'get_nw_info_for_instance',
+                       lambda instance: network_model)
 
         network_info = network_model.legacy()
         self.fw.prepare_instance_filter(instance_ref, network_info)

nova/tests/test_xenapi.py+3 −2 modified

@@ -2074,8 +2074,9 @@ def test_static_filters(self):
         network_model = fake_network.fake_get_instance_nw_info(self.stubs,
                                                       1, spectacular=True)
 
-        fake_network.stub_out_nw_api_get_instance_nw_info(self.stubs,
-                                      lambda *a, **kw: network_model)
+        from nova.compute import utils as compute_utils
+        self.stubs.Set(compute_utils, 'get_nw_info_for_instance',
+                       lambda instance: network_model)
 
         network_info = network_model.legacy()
         self.fw.prepare_instance_filter(instance_ref, network_info)

nova/virt/firewall.py+3 −13 modified

@@ -19,9 +19,8 @@
 
 from oslo.config import cfg
 
-from nova import conductor
+from nova.compute import utils as compute_utils
 from nova import context
-from nova import network
 from nova.network import linux_net
 from nova.openstack.common import importutils
 from nova.openstack.common import lockutils
@@ -409,18 +408,9 @@ def instance_rules(self, instance, network_info):
                     fw_rules += [' '.join(args)]
                 else:
                     if rule['grantee_group']:
-                        # FIXME(jkoelker) This needs to be ported up into
-                        #                 the compute manager which already
-                        #                 has access to a nw_api handle,
-                        #                 and should be the only one making
-                        #                 making rpc calls.
-                        nw_api = network.API()
-                        capi = conductor.API()
                         for instance in rule['grantee_group']['instances']:
-                            nw_info = nw_api.get_instance_nw_info(
-                                ctxt,
-                                instance,
-                                conductor_api=capi)
+                            nw_info = compute_utils.get_nw_info_for_instance(
+                                    instance)
 
                             ips = [ip['address']
                                 for ip in nw_info.fixed_ips()

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

seclists.org/oss-sec/2013/q3/282nvdPatchThird Party AdvisoryWEB
bugs.launchpad.net/nova/+bug/1184041nvdExploitThird Party AdvisoryWEB
rhn.redhat.com/errata/RHSA-2013-1199.htmlnvdVendor AdvisoryWEB
github.com/advisories/GHSA-ph2h-hh49-vh27ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-4185ghsaADVISORY
github.com/openstack/nova/commit/52ad911963da4095b213952dee3a430fe0c4c30fghsaWEB
github.com/openstack/nova/commit/85aac04704350566d6b06aa7a3b99649946c672cghsaWEB
github.com/openstack/nova/commit/d4ee081c5c0a5132781235177c430ebcf72b0b0bghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000