OSSA-2014-011: RBAC policy not properly enforced in Nova EC2 API

OSSA-2014-011: RBAC policy not properly enforced in Nova EC2 API¶

Date:: April 09, 2014
CVE:: CVE-2014-0167

Affects¶

Nova: from 2013.1 to 2013.2.3

Description¶

Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API security group implementation. RBAC policies are not enforced when using the EC2 API, in particular the add_rules, remove_rules and destroy methods. A restricted user may overcome his limitation by using EC2 API resulting in unauthorized action on security groups. Only setups using non-default RBAC rules for Nova may be affected.

Patches¶

https://review.openstack.org/#/c/86361 (Havana)
https://review.openstack.org/#/c/86360 (Icehouse)
https://review.openstack.org/#/c/86358 (Juno)

Credits¶

Marc Heckmann from Ubisoft (CVE-2014-0167)

References¶

this page last updated: 2024-03-18 15:52:07

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.