Source: nova Version: 2014.1.1-7 Severity: important Tags: security patch Opening this bug before uploading the security fix. OpenStack pre-announce is below.
Thomas Goirand (zigo) CVE-2014-3517 pre-announce text: This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Title: Use of non-constant time comparison operation Reporter: Alex Gaynor (Rackspace) Products: Nova Versions: Up to 2013.2.3, and 2014.1 to 2014.1.1 Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova. By analyzing response times to requests for instance metadata, an attacker may be able to guess a valid instance ID signature. This could allow access to important configuration details of another instance. Only setups configured to proxy metadata requests via Neutron are affected. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to stable/havana, stable/icehouse and master (Juno development branch) on the public disclosure date. CVE: CVE-2014-3517 Proposed public disclosure date/time: 2014-07-16, 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date. Regards, Grant Murphy OpenStack Vulnerability Management Team _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
