← Back to team overview

openstack team mailing list archive

[OSSA 2012-007] Security groups fail to be set correctly (CVE-2012-2654)


OpenStack Security Advisory: 2012-007
CVE: 2012-2654
Date: June 6, 2012
Title: Security groups fail to be set correctly
Impact: Medium
Reporter: HP Cloud Services hpcs.security@xxxxxx
Products: Nova
Affects: All versions

HP Cloud Services reported a vulnerability in Nova API handling. When a
security group is created via the EC2 or OS API's that uses a protocol
defined in the incorrect case i.e 'TCP' rather than 'tcp' it causes a
later string comparison to fail. This leads to Security Groups not being
set correctly. Once the Nova DB has been polluted with the incorrect
case any subsequent modifications to the security group will also fail.

Database considerations:
The fix will make Nova resilient to any protocol case inconsistencies
that may be in the Nova DB. Users may want to consider sanitizing their
database by forcing all protocol entries to lower case, hardening their
DB against any failures of future code that may expect the data to be
lower case.

  Diablo: https://review.openstack.org/#/c/8239/

This fix will be included in the folsom-2 development milestone and in
future essex and diablo releases.

Russell Bryant
OpenStack Vulnerability Management Team

Follow ups