OSSA-2013-034: Heat CFN policy rules not all enforced

Date:

December 11, 2013

CVE:

CVE-2013-6426

Affects

  • Heat: All supported releases

Description

Steven Hardy from Red Hat reported a vulnerability in Heat’s default API policy enforcement. By calling the CreateStack or UpdateStack methods, an in-instance user may be able to create or update a stack in violation of the default policy. Only setups using Heat’s cloudformation-compatible API are affected.

Patches

Credits

  • Steven Hardy from Red Hat (CVE-2013-6426)

References