oss-sec mailing list archives
[OSSA 2014-011] RBAC policy not properly enforced in Nova EC2 API (CVE-2014-0167)
From: Tristan Cacqueray <tristan.cacqueray () enovance com>
Date: Wed, 09 Apr 2014 20:27:54 +0200
OpenStack Security Advisory: 2014-011 CVE: CVE-2014-0167 Date: April 09, 2014 Title: RBAC policy not properly enforced in Nova EC2 API Reporter: Marc Heckmann (Ubisoft) Products: Nova Versions: from 2013.1 to 2013.2.3 Description: Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API security group implementation. RBAC policies are not enforced when using the EC2 API, in particular the add_rules, remove_rules and destroy methods. A restricted user may overcome his limitation by using EC2 API resulting in unauthorized action on security groups. Only setups using non-default RBAC rules for Nova may be affected. Juno (development branch) fix: https://review.openstack.org/86358 Icehouse (milestone-proposed branch) fix: https://review.openstack.org/86360 Havana fix: https://review.openstack.org/86361 Notes: This fix will be included in the icehouse-rc2 development milestone and in a future 2013.2.4 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0167 https://launchpad.net/bugs/1290537 -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [OSSA 2014-011] RBAC policy not properly enforced in Nova EC2 API (CVE-2014-0167) Tristan Cacqueray (Apr 09)