oss-sec mailing list archives
Re: CVE request: nova
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 25 Oct 2011 14:27:56 -0600
On 10/25/2011 11:11 AM, Jamie Strandboge wrote:
A flaw was discovered in OpenStack nova[1] which allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). While the EC2_ACCESS_KEY is typically not public, if the user exposes it via http or tools that allow MITM over https, then an attacker could obtain the EC2_SECRET_KEY easily. An attacker could also presumably brute force values for EC2_ACCESS_KEY. Fix: https://review.openstack.org/#change,794 [1]https://launchpad.net/bugs/868360
Please use CVE-2011-4076 for this issue -- -Kurt Seifried / Red Hat Security Response Team
Current thread:
- CVE request: nova Jamie Strandboge (Oct 25)
- Re: CVE request: nova Kurt Seifried (Oct 25)