Date: Thu, 17 Jul 2014 18:36:47 +1000 From: Grant Murphy <gmurphy@...hat.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-024] Use of non-constant time comparison operation (CVE-2014-3517) OpenStack Security Advisory: 2014-024 CVE: CVE-2014-3517 Date: July 17, 2014 Title: Use of non-constant time comparison operation Reporter: Alex Gaynor (Rackspace) Products: Nova Versions: Up to 2013.2.3, and 2014.1 to 2014.1.1 Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova. By analyzing response times to requests for instance metadata, an attacker may be able to guess a valid instance ID signature. This could allow access to important configuration details of another instance. Only setups configured to proxy metadata requests via Neutron are affected. Juno (development branch) fix: https://review.openstack.org/107396 Icehouse https://review.openstack.org/107397 Havana https://review.openstack.org/107398 Notes: This fix will be included in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3517 https://launchpad.net/bugs/1325128 -- Grant Murphy OpenStack Vulnerability Management Team Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.