openstack team mailing list archive

Thread
Date

[OSSA 2012-001] Tenant bypass by authenticated users using OpenStack API (CVE-2012-0030)

To: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
From: Thierry Carrez <thierry@xxxxxxxxxxxxx>
Date: Wed, 11 Jan 2012 16:48:57 +0100
Organization: OpenStack
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111229 Thunderbird/9.0

OpenStack Security Advisory: 2012-001
CVE: CVE-2012-0030
Date: January 11, 2012
Title: Tenant bypass by authenticated users using OpenStack API
Impact: Critical
Reporters: Nachi Ueno, Rohit Karajgi, Venkatesan Ravikumar
Products: Nova
Affects: 2011.3, Essex

Description:
Nachi Ueno (NTT PF lab), Rohit Karajgi (Vertex) and Venkatesan Ravikumar
(HP) discovered a vulnerability in Nova API nodes handling of incoming
requests. An authenticated user may craft malicious commands to affect
resources on tenants he is not a member of, potentially leading to
incorrect billing, quota escaping or compromise of computing resources
created by a third-party. Only setups allowing the OpenStack API are
affected.

Fixes:
Essex:
https://github.com/openstack/nova/commit/c9c09bd60e7a0e0258d218a31d7878755bea1395
2011.3:
https://github.com/openstack/nova/commit/3d4ffb64f1e18117240c26809788528979e3bd15

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0030
https://bugs.launchpad.net/nova/+bug/904072

Notes:
This fix will be included in the Essex-3 development milestone and in
the 2011.3.1 release, expected next week.

-- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team