Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 17 Jul 2014 18:36:47 +1000
From: Grant Murphy <gmurphy@...hat.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-024] Use of non-constant time comparison operation
 (CVE-2014-3517)

OpenStack Security Advisory: 2014-024
CVE: CVE-2014-3517
Date: July 17, 2014
Title: Use of non-constant time comparison operation
Reporter: Alex Gaynor (Rackspace)
Products: Nova
Versions: Up to 2013.2.3, and 2014.1 to 2014.1.1

Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova.  
By analyzing response times to requests for instance metadata, an attacker 
may be able to guess a valid instance ID signature. This could allow access 
to important configuration details of another instance. Only setups 
configured to proxy metadata requests via Neutron are affected.

Juno (development branch) fix:
https://review.openstack.org/107396

Icehouse
https://review.openstack.org/107397

Havana
https://review.openstack.org/107398

Notes:
This fix will be included in the Juno-2 development milestone and in future 
2013.2.4 and 2014.1.2 releases

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3517
https://launchpad.net/bugs/1325128

-- 
Grant Murphy
OpenStack Vulnerability Management Team

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ