|
Message-ID: <5345912A.6000108@enovance.com>
Date: Wed, 09 Apr 2014 20:27:54 +0200
From: Tristan Cacqueray <tristan.cacqueray@...vance.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-011] RBAC policy not properly enforced in Nova EC2 API
(CVE-2014-0167)
OpenStack Security Advisory: 2014-011
CVE: CVE-2014-0167
Date: April 09, 2014
Title: RBAC policy not properly enforced in Nova EC2 API
Reporter: Marc Heckmann (Ubisoft)
Products: Nova
Versions: from 2013.1 to 2013.2.3
Description:
Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API
security group implementation. RBAC policies are not enforced when using
the EC2 API, in particular the add_rules, remove_rules and destroy
methods. A restricted user may overcome his limitation by using EC2 API
resulting in unauthorized action on security groups. Only setups using
non-default RBAC rules for Nova may be affected.
Juno (development branch) fix:
https://review.openstack.org/86358
Icehouse (milestone-proposed branch) fix:
https://review.openstack.org/86360
Havana fix:
https://review.openstack.org/86361
Notes:
This fix will be included in the icehouse-rc2 development milestone and
in a future 2013.2.4 release.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0167
https://launchpad.net/bugs/1290537
--
Tristan Cacqueray
OpenStack Vulnerability Management Team
Download attachment "signature.asc" of type "application/pgp-signature" (556 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.