OpenStack Compute Nova API Security Group Vulnerability in 2013.1 and Icehouse
CVE-2014-0167

Currently unrated

Key Information:

Vendor: Openstack
Status: Compute; Icehouse
Vendor: CVE Published:; 15 April 2014

Summary

The Nova EC2 API within OpenStack Compute does not adequately implement role-based access control (RBAC) policies for several critical operations, such as adding or removing rules and destruction of resources. This lack of enforcement means that remote authenticated users can exploit these weaknesses to gain unauthorized privileges through specific API requests, potentially leading to broader security risks within affected environments.

References

http://www.openwall.com/lists/oss-security/2014/04/09/26

mailing-listx_refsource_MLIST

https://launchpad.net/bugs/1290537

x_refsource_CONFIRM

http://www.ubuntu.com/usn/USN-2247-1

vendor-advisoryx_refsource_UBUNTU

Timeline

Vulnerability published
Apr 15, 2014
Vulnerability Reserved
Dec 3, 2013