OSSA-2012-001: Tenant bypass by authenticated users using OpenStack API

OSSA-2012-001: Tenant bypass by authenticated users using OpenStack API

Date:January 11, 2012
CVE:CVE-2012-0030

Affects

  • Nova: 2011.3, Essex

Description

Nachi Ueno (NTT PF lab), Rohit Karajgi (Vertex) and Venkatesan Ravikumar (HP) discovered a vulnerability in Nova API nodes handling of incoming requests. An authenticated user may craft malicious commands to affect resources on tenants he is not a member of, potentially leading to incorrect billing, quota escaping or compromise of computing resources created by a third-party. Only setups allowing the OpenStack API are affected.

Credits

  • Nachi Ueno from NTT PF lab (CVE-2012-0030)
  • Rohit Karajgi from Vertex (CVE-2012-0030)
  • Venkatesan Ravikumar from HP (CVE-2012-0030)
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.