Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20140717083635.GA9631@lappy.redhat.com>
Date: Thu, 17 Jul 2014 18:36:47 +1000
From: Grant Murphy <gmurphy@...hat.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-024] Use of non-constant time comparison operation
 (CVE-2014-3517)

OpenStack Security Advisory: 2014-024
CVE: CVE-2014-3517
Date: July 17, 2014
Title: Use of non-constant time comparison operation
Reporter: Alex Gaynor (Rackspace)
Products: Nova
Versions: Up to 2013.2.3, and 2014.1 to 2014.1.1

Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova.  
By analyzing response times to requests for instance metadata, an attacker 
may be able to guess a valid instance ID signature. This could allow access 
to important configuration details of another instance. Only setups 
configured to proxy metadata requests via Neutron are affected.

Juno (development branch) fix:
https://review.openstack.org/107396

Icehouse
https://review.openstack.org/107397

Havana
https://review.openstack.org/107398

Notes:
This fix will be included in the Juno-2 development milestone and in future 
2013.2.4 and 2014.1.2 releases

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3517
https://launchpad.net/bugs/1325128

-- 
Grant Murphy
OpenStack Vulnerability Management Team

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.