openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #06648
[OSSA 2012-001] Tenant bypass by authenticated users using OpenStack API (CVE-2012-0030)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
OpenStack Security Advisory: 2012-001
CVE: CVE-2012-0030
Date: January 11, 2012
Title: Tenant bypass by authenticated users using OpenStack API
Impact: Critical
Reporters: Nachi Ueno, Rohit Karajgi, Venkatesan Ravikumar
Products: Nova
Affects: 2011.3, Essex
Description:
Nachi Ueno (NTT PF lab), Rohit Karajgi (Vertex) and Venkatesan Ravikumar
(HP) discovered a vulnerability in Nova API nodes handling of incoming
requests. An authenticated user may craft malicious commands to affect
resources on tenants he is not a member of, potentially leading to
incorrect billing, quota escaping or compromise of computing resources
created by a third-party. Only setups allowing the OpenStack API are
affected.
Fixes:
Essex:
https://github.com/openstack/nova/commit/c9c09bd60e7a0e0258d218a31d7878755bea1395
2011.3:
https://github.com/openstack/nova/commit/3d4ffb64f1e18117240c26809788528979e3bd15
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0030
https://bugs.launchpad.net/nova/+bug/904072
Notes:
This fix will be included in the Essex-3 development milestone and in
the 2011.3.1 release, expected next week.
- --
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJPDa+/AAoJEFB6+JAlsQQjNIkP/3goGsDNkgeBNQmK6UQyGwG0
eCByi4FXi4FA/3Kown/9uVnHcSxs4n/KwTcHmX0QVByQjg/RsyH4EPNlC3Bd10RO
qaMZd0uuniCidG0lIKfvCnm6X8DNqy1dpKFvI/vCjxX03ZPkHNhCIH/QGgdZ7D67
a3LcNhzkadYknd+pd5SJe3ZX5a7vFTqqD1CurRkRu5I5skvKav8bYA8KyVJ7Y7kH
D9j6BY4tmcRVj2vzxgcqD3yF0KfpZS6hcfvpjp1i8AC91NnQ1dcP1uBrunsGV/0M
2O6kfDrwPCCj6lsWssqzNIqdtqDkFwWohbwSZFlaD4qxE2AOQLbFtbmcTu0eHH2a
OmWCU0ZxPduzGmFNquzHmgzcN1fGwBB24pb1D5yAVvBKpFwmyfKNFXu0l7cw3x5F
d/d89UP9cSP7QwUxy5pCwTf4faIhwv1+OQG/JpDgohbM9rsxrLDUjsTKb/S0SspW
B5/ha9uETwKaB2N03zbNIViO1v6CgThA/OyAtqvlKEIZY0iQ8pjtMTY19y4nh35R
ExK2h2bnvj9H9sHPxSJvQcoyrhoudRxQs0GR0NlegQhosnBkAwDz2TEjG2n3y951
BHBiUkwEz9/5iQA+LQdMidHaLM6jw4WPB5afuGMuGwsfSOaZL0wAUZEPWQFRjzw7
zaWcbr5WhJpVYZqE6wcQ
=BwxG
-----END PGP SIGNATURE-----