Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 507380 (CVE-2014-0167) - <sys-cluster/nova-2013.2.3-r1 : RBAC policy not properly enforced in Nova EC2 API (CVE-2014-0167) (OSSA 2014-011)
Summary: <sys-cluster/nova-2013.2.3-r1 : RBAC policy not properly enforced in Nova EC2...
Alias: CVE-2014-0167
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2014-04-11 07:52 UTC by Agostino Sarubbo
Modified: 2014-04-11 15:48 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-11 07:52:10 UTC
From ${URL} :

OpenStack Security Advisory: 2014-011
CVE: CVE-2014-0167
Date: April 09, 2014
Title: RBAC policy not properly enforced in Nova EC2 API
Reporter: Marc Heckmann (Ubisoft)
Products: Nova
Versions: from 2013.1 to 2013.2.3

Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API
security group implementation. RBAC policies are not enforced when using
the EC2 API, in particular the add_rules, remove_rules and destroy
methods. A restricted user may overcome his limitation by using EC2 API
resulting in unauthorized action on security groups. Only setups using
non-default RBAC rules for Nova may be affected.

Juno (development branch) fix:

Icehouse (milestone-proposed branch) fix:

Havana fix:

This fix will be included in the icehouse-rc2 development milestone and
in a future 2013.2.4 release.


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-04-11 15:17:25 UTC
fix in tree, vulnerable versions removed.
Comment 2 Agostino Sarubbo gentoo-dev 2014-04-11 15:48:04 UTC
Closing as noglsa.