OSSA-2014-024: Use of non-constant time comparison operation

OSSA-2014-024: Use of non-constant time comparison operation

Date:July 17, 2014
CVE:CVE-2014-3517

Affects

  • Nova: Up to 2013.2.3, and 2014.1 to 2014.1.1

Description

Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova. By analyzing response times to requests for instance metadata, an attacker may be able to guess a valid instance ID signature. This could allow access to important configuration details of another instance. Only setups configured to proxy metadata requests via Neutron are affected.

Credits

  • Alex Gaynor from Rackspace (CVE-2014-3517)
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.