OSSA-2012-001: Tenant bypass by authenticated users using OpenStack API

Date

January 11, 2012

CVE

CVE-2012-0030

Affects

  • Nova: 2011.3, Essex

Description

Nachi Ueno (NTT PF lab), Rohit Karajgi (Vertex) and Venkatesan Ravikumar (HP) discovered a vulnerability in Nova API nodes handling of incoming requests. An authenticated user may craft malicious commands to affect resources on tenants he is not a member of, potentially leading to incorrect billing, quota escaping or compromise of computing resources created by a third-party. Only setups allowing the OpenStack API are affected.

Credits

  • Nachi Ueno from NTT PF lab (CVE-2012-0030)

  • Rohit Karajgi from Vertex (CVE-2012-0030)

  • Venkatesan Ravikumar from HP (CVE-2012-0030)