yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #21904
[Bug 1325128] Re: [OSSA 2014-024] nova metadata does not use a constant time compare for validating an HMAC token (CVE-2014-3517)
** Also affects: nova/havana
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1325128
Title:
[OSSA 2014-024] nova metadata does not use a constant time compare for
validating an HMAC token (CVE-2014-3517)
Status in OpenStack Compute (Nova):
Fix Released
Status in OpenStack Compute (nova) havana series:
New
Status in OpenStack Compute (nova) icehouse series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
Here:
https://github.com/openstack/nova/blob/HEAD/nova/api/metadata/handler.py#L173
a constant time comparison should be used, more information on this
type of attack here: http://codahale.com/a-lesson-in-timing-attacks/
An example constant time comparison in Python can be found here:
https://github.com/django/django/blob/master/django/utils/crypto.py#L80
or via the PyCA cryptography library:
https://cryptography.io/en/latest/hazmat/primitives/constant-time/
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1325128/+subscriptions