oss-sec mailing list archives
[OSSA 2013-034] Heat CFN policy rules not all enforced (CVE-2013-6426)
From: Jeremy Stanley <jeremy () openstack org>
Date: Wed, 11 Dec 2013 15:47:36 +0000
OpenStack Security Advisory: 2013-034 CVE: CVE-2013-6426 Date: December 11, 2013 Title: Heat CFN policy rules not all enforced Reporter: Steven Hardy (Red Hat) Products: Heat Affects: All supported releases Description: Steven Hardy from Red Hat reported a vulnerability in Heat's default API policy enforcement. By calling the CreateStack or UpdateStack methods, an in-instance user may be able to create or update a stack in violation of the default policy. Only setups using Heat's cloudformation-compatible API are affected. Icehouse (development branch) fix: https://review.openstack.org/61452 Havana fix: https://review.openstack.org/61454 Notes: This fix will be included in the icehouse-2 development milestone and in a future 2013.2.1 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6426 https://launchpad.net/bugs/1256049 -- Jeremy Stanley OpenStack Vulnerability Management Team
Current thread:
- [OSSA 2013-034] Heat CFN policy rules not all enforced (CVE-2013-6426) Jeremy Stanley (Dec 11)
- <Possible follow-ups>
- [OSSA 2013-034] Heat CFN policy rules not all enforced (CVE-2013-6426) Jeremy Stanley (Dec 11)