OSSA-2011-001: Path traversal issues registering malicious images using EC2 API

OSSA-2011-001: Path traversal issues registering malicious images using EC2 API

Date

December 13, 2011

CVE

CVE-2011-4596

Affects

  • Nova: All versions

Description

David Black reported two issues in OpenStack Nova’s support for EC2 RegisterImage action. By registering images from malicious tarballs or manifests, an attacker could potentially traverse directories and overwrite files with the rights of the user Nova runs under. Only setups allowing the EC2 API and the S3/RegisterImage method for registering images are affected.

Credits

  • David Black (CVE-2011-4596)

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.