Date: Thu, 17 Jul 2014 18:36:47 +1000 From: Grant Murphy <gmurphy@...hat.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-024] Use of non-constant time comparison operation (CVE-2014-3517) OpenStack Security Advisory: 2014-024 CVE: CVE-2014-3517 Date: July 17, 2014 Title: Use of non-constant time comparison operation Reporter: Alex Gaynor (Rackspace) Products: Nova Versions: Up to 2013.2.3, and 2014.1 to 2014.1.1 Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova. By analyzing response times to requests for instance metadata, an attacker may be able to guess a valid instance ID signature. This could allow access to important configuration details of another instance. Only setups configured to proxy metadata requests via Neutron are affected. Juno (development branch) fix: https://review.openstack.org/107396 Icehouse https://review.openstack.org/107397 Havana https://review.openstack.org/107398 Notes: This fix will be included in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3517 https://launchpad.net/bugs/1325128 -- Grant Murphy OpenStack Vulnerability Management Team [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ