openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #13068
Re: [OSSA 2012-007] Security groups fail to be set correctly (CVE-2012-2654)
Greetings,
A regression was discovered in the patch that was committed to resolve
this security issue. See this bug for the regression:
https://bugs.launchpad.net/nova/+bug/1010514
Please see the following links for the fixes:
Folsom:
https://github.com/openstack/nova/commit/bbdf82c5ec3e31a5dc43948291c4f37ce1098714
Essex:
https://github.com/openstack/nova/commit/3ee026e4252cd4140b50675e857695b195ab5065
Diablo: https://review.openstack.org/#/c/8239/
Thanks,
--
Russell Bryant
OpenStack Vulnerability Management Team
On 06/06/2012 03:47 PM, Russell Bryant wrote:
> OpenStack Security Advisory: 2012-007
> CVE: 2012-2654
> Date: June 6, 2012
> Title: Security groups fail to be set correctly
> Impact: Medium
> Reporter: HP Cloud Services hpcs.security@xxxxxx
> Products: Nova
> Affects: All versions
>
> Description:
> HP Cloud Services reported a vulnerability in Nova API handling. When a
> security group is created via the EC2 or OS API's that uses a protocol
> defined in the incorrect case i.e 'TCP' rather than 'tcp' it causes a
> later string comparison to fail. This leads to Security Groups not being
> set correctly. Once the Nova DB has been polluted with the incorrect
> case any subsequent modifications to the security group will also fail.
>
> Database considerations:
> The fix will make Nova resilient to any protocol case inconsistencies
> that may be in the Nova DB. Users may want to consider sanitizing their
> database by forcing all protocol entries to lower case, hardening their
> DB against any failures of future code that may expect the data to be
> lower case.
>
> Fixes:
> Folsom:
> https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654
> Essex:
> https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978
> Diablo: https://review.openstack.org/#/c/8239/
>
> Notes:
> This fix will be included in the folsom-2 development milestone and in
> future essex and diablo releases.
>
References