Re: CVE request: nova

[Kurt Seifried <kseifried () redhat com>]

On 10/25/2011 11:11 AM, Jamie Strandboge wrote:
> A flaw was discovered in OpenStack nova[1] which allows someone with
> access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the
> EC2_SECRET_KEY (equivalent to a password). While the EC2_ACCESS_KEY is
> typically not public, if the user exposes it via http or tools that
> allow MITM over https, then an attacker could obtain the EC2_SECRET_KEY
> easily. An attacker could also presumably brute force values for
> EC2_ACCESS_KEY.
>
> Fix:
> https://review.openstack.org/#change,794
>
> [1]https://launchpad.net/bugs/868360
Please use CVE-2011-4076 for this issue

-- 

-Kurt Seifried / Red Hat Security Response Team