OSSA-2014-024: Use of non-constant time comparison operation

Date:July 17, 2014


  • Nova: Up to 2013.2.3, and 2014.1 to 2014.1.1


Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova. By analyzing response times to requests for instance metadata, an attacker may be able to guess a valid instance ID signature. This could allow access to important configuration details of another instance. Only setups configured to proxy metadata requests via Neutron are affected.


  • Alex Gaynor from Rackspace (CVE-2014-3517)