oss-sec mailing list archives

[OSSA 2013-034] Heat CFN policy rules not all enforced (CVE-2013-6426)

From: Jeremy Stanley <jeremy () openstack org>
Date: Wed, 11 Dec 2013 15:50:58 +0000

[Apologies for the duplicate--forgot to sign the previous one.]

OpenStack Security Advisory: 2013-034
CVE: CVE-2013-6426
Date: December 11, 2013
Title: Heat CFN policy rules not all enforced
Reporter: Steven Hardy (Red Hat)
Products: Heat
Affects: All supported releases

Description:
Steven Hardy from Red Hat reported a vulnerability in Heat's default
API policy enforcement. By calling the CreateStack or UpdateStack
methods, an in-instance user may be able to create or update a stack
in violation of the default policy. Only setups using Heat's
cloudformation-compatible API are affected.

Icehouse (development branch) fix:
https://review.openstack.org/61452

Havana fix:
https://review.openstack.org/61454

Notes:
This fix will be included in the icehouse-2 development milestone
and in a future 2013.2.1 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6426
https://launchpad.net/bugs/1256049

-- 
Jeremy Stanley
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: Digital signature

Current thread:

[OSSA 2013-034] Heat CFN policy rules not all enforced (CVE-2013-6426) Jeremy Stanley (Dec 11)
- <Possible follow-ups>
- [OSSA 2013-034] Heat CFN policy rules not all enforced (CVE-2013-6426) Jeremy Stanley (Dec 11)