OSSA-2014-011: RBAC policy not properly enforced in Nova EC2 API

Date:April 09, 2014


  • Nova: from 2013.1 to 2013.2.3


Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API security group implementation. RBAC policies are not enforced when using the EC2 API, in particular the add_rules, remove_rules and destroy methods. A restricted user may overcome his limitation by using EC2 API resulting in unauthorized action on security groups. Only setups using non-default RBAC rules for Nova may be affected.


  • Marc Heckmann from Ubisoft (CVE-2014-0167)