yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1325128] Re: [OSSA 2014-024] nova metadata does not use a constant time compare for validating an HMAC token (CVE-2014-3517)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Chuck Short <chuck.short@xxxxxxxxxxxxx>
Date: Thu, 07 Aug 2014 12:38:31 -0000
Reply-to: Bug 1325128 <1325128@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: nova/icehouse
   Importance: Undecided
       Status: New

** Changed in: nova/icehouse
       Status: New => Fix Committed

** Changed in: nova/icehouse
    Milestone: None => 2014.1.2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1325128

Title:
  [OSSA 2014-024] nova metadata does not use a constant time compare for
  validating an HMAC token (CVE-2014-3517)

Status in OpenStack Compute (Nova):
  Fix Released
Status in OpenStack Compute (nova) icehouse series:
  Fix Committed
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  Here:

  https://github.com/openstack/nova/blob/HEAD/nova/api/metadata/handler.py#L173

  a constant time comparison should be used, more information on this
  type of attack here: http://codahale.com/a-lesson-in-timing-attacks/

  An example constant time comparison in Python can be found here:
  https://github.com/django/django/blob/master/django/utils/crypto.py#L80
  or via the PyCA cryptography library:
  https://cryptography.io/en/latest/hazmat/primitives/constant-time/

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1325128/+subscriptions