openstack team mailing list archive

Thread
Date

Re: [OSSA 2012-007] Security groups fail to be set correctly (CVE-2012-2654)

To: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
From: Russell Bryant <rbryant@xxxxxxxxxx>
Date: Mon, 11 Jun 2012 16:59:56 -0400
In-reply-to: <4FCFB3C6.7010303@redhat.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1

Greetings,

A regression was discovered in the patch that was committed to resolve
this security issue.  See this bug for the regression:

https://bugs.launchpad.net/nova/+bug/1010514

Please see the following links for the fixes:

Folsom:
https://github.com/openstack/nova/commit/bbdf82c5ec3e31a5dc43948291c4f37ce1098714
Essex:
https://github.com/openstack/nova/commit/3ee026e4252cd4140b50675e857695b195ab5065
Diablo: https://review.openstack.org/#/c/8239/

Thanks,

-- 
Russell Bryant
OpenStack Vulnerability Management Team

On 06/06/2012 03:47 PM, Russell Bryant wrote:
> OpenStack Security Advisory: 2012-007
> CVE: 2012-2654
> Date: June 6, 2012
> Title: Security groups fail to be set correctly
> Impact: Medium
> Reporter: HP Cloud Services hpcs.security@xxxxxx
> Products: Nova
> Affects: All versions
> 
> Description:
> HP Cloud Services reported a vulnerability in Nova API handling. When a
> security group is created via the EC2 or OS API's that uses a protocol
> defined in the incorrect case i.e 'TCP' rather than 'tcp' it causes a
> later string comparison to fail. This leads to Security Groups not being
> set correctly. Once the Nova DB has been polluted with the incorrect
> case any subsequent modifications to the security group will also fail.
> 
> Database considerations:
> The fix will make Nova resilient to any protocol case inconsistencies
> that may be in the Nova DB. Users may want to consider sanitizing their
> database by forcing all protocol entries to lower case, hardening their
> DB against any failures of future code that may expect the data to be
> lower case.
> 
> Fixes:
>   Folsom:
> https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654
>   Essex:
> https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978
>   Diablo: https://review.openstack.org/#/c/8239/
> 
> Notes:
> This fix will be included in the folsom-2 development milestone and in
> future essex and diablo releases.
>

References

[OSSA 2012-007] Security groups fail to be set correctly (CVE-2012-2654)
From: Russell Bryant, 2012-06-06