yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1325128] Re: [OSSA 2014-024] nova metadata does not use a constant time compare for validating an HMAC token (CVE-2014-3517)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Russell Bryant <1325128@xxxxxxxxxxxxxxxxxx>
Date: Wed, 23 Jul 2014 14:53:55 -0000
Reply-to: Bug 1325128 <1325128@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: nova
       Status: Fix Committed => Fix Released

** Changed in: nova
    Milestone: None => juno-2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1325128

Title:
  [OSSA 2014-024] nova metadata does not use a constant time compare for
  validating an HMAC token (CVE-2014-3517)

Status in OpenStack Compute (Nova):
  Fix Released
Status in OpenStack Security Advisories:
  Fix Committed

Bug description:
  Here:

  https://github.com/openstack/nova/blob/HEAD/nova/api/metadata/handler.py#L173

  a constant time comparison should be used, more information on this
  type of attack here: http://codahale.com/a-lesson-in-timing-attacks/

  An example constant time comparison in Python can be found here:
  https://github.com/django/django/blob/master/django/utils/crypto.py#L80
  or via the PyCA cryptography library:
  https://cryptography.io/en/latest/hazmat/primitives/constant-time/

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1325128/+subscriptions