OSSA-2014-024: Use of non-constant time comparison operation

Date:

July 17, 2014

CVE:

CVE-2014-3517

Affects

  • Nova: Up to 2013.2.3, and 2014.1 to 2014.1.1

Description

Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova. By analyzing response times to requests for instance metadata, an attacker may be able to guess a valid instance ID signature. This could allow access to important configuration details of another instance. Only setups configured to proxy metadata requests via Neutron are affected.

Patches

Credits

  • Alex Gaynor from Rackspace (CVE-2014-3517)

References