CVE-2016-9592 - OpenCVE

openshift before versions 3.3.1.11, 3.2.1.23, 3.4 is vulnerable to a flaw when a volume fails to detach, which causes the delete operation to fail with 'VolumeInUse' error. Since the delete operation is retried every 30 seconds for each volume, this could lead to a denial of service attack as the number of API requests being sent to the cloud-provider exceeds the API's rate-limit.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Openshift

Configuration 1 [-]

OR	cpe:2.3:a:redhat:openshift:3.2.1.23::::enterprise:::
	cpe:2.3:a:redhat:openshift:3.3.1.11::::enterprise:::
	cpe:2.3:a:redhat:openshift:3.4::::enterprise:::

References

Link	Resource
http://www.securityfocus.com/bid/94991	Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9592	Issue Tracking Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2018-04-16T14:00:00

Updated: 2018-04-17T09:57:01

Reserved: 2016-11-23T00:00:00

Link: CVE-2016-9592

JSON object: View

NVD Information

Status : Modified

Published: 2018-04-16T15:29:00.233

Modified: 2023-11-07T02:37:14.450

Link: CVE-2016-9592

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "openshift", "vendor": "unspecified", "versions": [{"status": "affected", "version": "openshift 3.3.1.11"}, {"status": "affected", "version": " openshift 3.2.1.23"}, {"status": "affected", "version": " openshift 3.4"}]}], "datePublic": "2016-12-19T00:00:00", "descriptions": [{"lang": "en", "value": "openshift before versions 3.3.1.11, 3.2.1.23, 3.4 is vulnerable to a flaw when a volume fails to detach, which causes the delete operation to fail with 'VolumeInUse' error. Since the delete operation is retried every 30 seconds for each volume, this could lead to a denial of service attack as the number of API requests being sent to the cloud-provider exceeds the API's rate-limit."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-460", "description": "CWE-460", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-04-17T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9592"}, {"name": "94991", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94991"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2016-9592", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "openshift", "version": {"version_data": [{"version_value": "openshift 3.3.1.11"}, {"version_value": " openshift 3.2.1.23"}, {"version_value": " openshift 3.4"}]}}]}, "vendor_name": ""}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "openshift before versions 3.3.1.11, 3.2.1.23, 3.4 is vulnerable to a flaw when a volume fails to detach, which causes the delete operation to fail with 'VolumeInUse' error. Since the delete operation is retried every 30 seconds for each volume, this could lead to a denial of service attack as the number of API requests being sent to the cloud-provider exceeds the API's rate-limit."}]}, "impact": {"cvss": [[{"vectorString": "4.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}], [{"vectorString": "3.5/AV:N/AC:M/Au:S/C:N/I:N/A:P", "version": "2.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-460"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9592", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9592"}, {"name": "94991", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94991"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-9592", "datePublished": "2018-04-16T14:00:00", "dateReserved": "2016-11-23T00:00:00", "dateUpdated": "2018-04-17T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift:3.2.1.23:*:*:*:enterprise:*:*:*", "matchCriteriaId": "2325EB46-F017-4D89-8436-1BDB75AC4007", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift:3.3.1.11:*:*:*:enterprise:*:*:*", "matchCriteriaId": "401352A3-D572-4E6D-91DF-3CD131825BE9", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift:3.4:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E1056A33-690E-4120-821F-52B9705CB84B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "openshift before versions 3.3.1.11, 3.2.1.23, 3.4 is vulnerable to a flaw when a volume fails to detach, which causes the delete operation to fail with 'VolumeInUse' error. Since the delete operation is retried every 30 seconds for each volume, this could lead to a denial of service attack as the number of API requests being sent to the cloud-provider exceeds the API's rate-limit."}, {"lang": "es", "value": "openshift, en versiones anteriores a la 3.3.1.11, 3.2.1.23 y 3.4, es vulnerable a un error cuando un volumen fracasa a la hora de desasociarse. Esto provoca que la operaci\u00f3n de borrado falle con un error \"VolumeInUse\". Como la operaci\u00f3n de borrado se reintenta cada 30 segundos para cada volumen, esto podr\u00eda conducir a un ataque de denegaci\u00f3n de servicio (DoS), ya que el n\u00famero de peticiones API que se env\u00edan al proveedor cloud excede el l\u00edmite de tasa de la API."}], "id": "CVE-2016-9592", "lastModified": "2023-11-07T02:37:14.450", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2018-04-16T15:29:00.233", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94991"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9592"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-399"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-460"}], "source": "secalert@redhat.com", "type": "Secondary"}]}