openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #12883
[OSSA 2012-007] Security groups fail to be set correctly (CVE-2012-2654)
OpenStack Security Advisory: 2012-007
CVE: 2012-2654
Date: June 6, 2012
Title: Security groups fail to be set correctly
Impact: Medium
Reporter: HP Cloud Services hpcs.security@xxxxxx
Products: Nova
Affects: All versions
Description:
HP Cloud Services reported a vulnerability in Nova API handling. When a
security group is created via the EC2 or OS API's that uses a protocol
defined in the incorrect case i.e 'TCP' rather than 'tcp' it causes a
later string comparison to fail. This leads to Security Groups not being
set correctly. Once the Nova DB has been polluted with the incorrect
case any subsequent modifications to the security group will also fail.
Database considerations:
The fix will make Nova resilient to any protocol case inconsistencies
that may be in the Nova DB. Users may want to consider sanitizing their
database by forcing all protocol entries to lower case, hardening their
DB against any failures of future code that may expect the data to be
lower case.
Fixes:
Folsom:
https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654
Essex:
https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978
Diablo: https://review.openstack.org/#/c/8239/
Notes:
This fix will be included in the folsom-2 development milestone and in
future essex and diablo releases.
--
Russell Bryant
OpenStack Vulnerability Management Team
Follow ups