1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
PublicDateAtUSN: 2014-08-07
Candidate: CVE-2014-3517
PublicDate: 2014-08-07
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3517
http://lists.openstack.org/pipermail/openstack-announce/2014-July/000253.html
http://www.ubuntu.com/usn/usn-2325-1
Description:
api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x
before 2014.1.2, and Juno before Juno-2, when proxying metadata requests
through Neutron, makes it easier for remote attackers to guess instance ID
signatures via a brute-force attack that relies on timing differences in
responses to instance metadata requests.
Ubuntu-Description:
Notes:
jdstrand> per upstream, Only setups configured to proxy metadata requests via
Neutron are affected
Bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755042
https://bugs.launchpad.net/nova/+bug/1325128
https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1354159 (2014.1.2)
Priority: medium
Discovered-by: Alex Gaynor
Assigned-to: jdstrand
Patches_nova:
upstream: https://review.openstack.org/107396 (juno)
upstream: https://review.openstack.org/#/c/107397/ (icehouse)
upstream_nova: released (2014.1.1-8,2014.1.2)
lucid_nova: DNE
precise_nova: not-affected
trusty_nova: released (1:2014.1.2-0ubuntu1)
devel_nova: not-affected (1:2014.2~b2-0ubuntu1)
|