OpenStack Security Advisories

• OSSA-2024-004: Ironic fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming
• OSSA-2024-003: Unvalidated image data passed to qemu-img
• OSSA-2024-002: Incomplete file access fix and regression for QCOW2 backing files and VMDK flat descriptors
• OSSA-2024-001: Arbitrary file access through custom QCOW2 external data
• OSSA-2023-003: Unauthorized volume access through deleted volume attachments
• OSSA-2023-002: Arbitrary file access through custom VMDK flat descriptor
• OSSA-2023-001: Arbitrary file access through custom S3 XML entities
• OSSA-2021-006: Routes middleware memory leak for nonexistent controllers
• OSSA-2021-005: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts
• OSSA-2021-004: Linuxbridge ARP filter bypass on Netfilter platforms
• OSSA-2021-003: Account name and UUID oracles in account locking
• OSSA-2021-002: Open Redirect in noVNC proxy
• OSSA-2021-001: Anti-spoofing bypass for Open vSwitch networks
• OSSA-2020-008: Open redirect in workflow forms
• OSSA-2020-007: Remote code execution in blazar-dashboard
• OSSA-2020-006: Live migration fails to update persistent domain XML
• OSSA-2020-005: OAuth1 request token authorize silently ignores roles parameter
• OSSA-2020-004: Keystone credential endpoints allow owner modification and are not protected from a scoped context
• OSSA-2020-003: Keystone does not check signature TTL of the EC2 credential auth method
• OSSA-2020-002: Unprivileged users can retrieve, use and manipulate share networks
• OSSA-2020-001: Nova can leak consoleauth token into log files
• OSSA-2019-006: Credentials API allows listing and retrieving of all users credentials
• OSSA-2019-005: Octavia Amphora-Agent not requiring Client-Certificate
• OSSA-2019-004: Ageing time of 0 disables linuxbridge MAC learning
• OSSA-2019-003: Nova Server Resource Faults Leak External Exception Details
• OSSA-2019-002: Overlapping security group rules prevents compute node network configuration
• OSSA-2019-001: Unsupported dport option prevents applying security groups
• OSSA-2018-002: GET /v3/OS-FEDERATION/projects leaks project information
• OSSA-2018-001: Raw underlying encrypted volume access
• OSSA-2017-006: Nova FilterScheduler doubles resource allocations during rebuild with new image
• OSSA-2017-005: Nova Filter Scheduler bypass through rebuild action
• OSSA-2017-004: Incorrect role assignment with federated Keystone
• OSSA-2017-003: XSS in Horizon federation mappings UI
• OSSA-2017-002: Nova logs sensitive context from notification exceptions
• OSSA-2017-001: CatchErrors leaks sensitive values in oslo.middleware
• OSSA-2016-013: Network information disclosure through Heat template source URL
• OSSA-2016-012: Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova
• OSSA-2016-011: Nova may fail to delete images in resize state regression
• OSSA-2016-010: XSS in Horizon client side template
• OSSA-2016-009: Neutron IPTables firewall anti-spoof protection bypass
• OSSA-2016-008: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
• OSSA-2016-007: Nova host data leak through resize/migration
• OSSA-2016-006: Glance image status manipulation through locations removal
• OSSA-2016-005: Potential reuse of revoked Identity tokens
• OSSA-2016-004: Swift proxy-server DoS through Large Object
• OSSA-2016-003: Heat denial of service through template-validate
• OSSA-2016-002: Xen connection password leak in logs via StorageError
• OSSA-2016-001: Nova host data leak through snapshot
• OSSA-2015-021: Nova network security group changes are not applied to running instances
• OSSA-2015-020: Glance storage overrun
• OSSA-2015-019: Glance image status manipulation
• OSSA-2015-018: Neutron firewall rules bypass through port update
• OSSA-2015-017: Nova may fail to delete images in resize state
• OSSA-2015-016: Information leak via Swift tempurls
• OSSA-2015-015: Nova instance migration process does not stop when instance is deleted
• OSSA-2015-014: Glance v2 API host file disclosure through qcow2 backing file
• OSSA-2015-013: Glance task flow may fail to delete image from backend
• OSSA-2015-012: Neutron L2 agent DoS through incorrect allowed address pairs
• OSSA-2015-011: Cinder host file disclosure through qcow2 backing file
• OSSA-2015-010: XSS in Horizon Heat stack creation
• OSSA-2015-009: Persistent XSS in Horizon metadata dashboard
• OSSA-2015-008: Potential Keystone cache backend password leak in log
• OSSA-2015-007: S3Token TLS cert verification option not honored
• OSSA-2015-006: Unauthorized delete of versioned Swift object
• OSSA-2015-005: Nova console Cross-Site WebSocket hijacking
• OSSA-2015-004: Glance import task leaks image in backend
• OSSA-2015-003: Glance user storage quota bypass
• OSSA-2015-002: Glance v2 API unrestricted path traversal through filesystem:// scheme
• OSSA-2015-001: L3 agent denial of service with radvd 2.0+
• OSSA-2014-041: Glance v2 API unrestricted path traversal
• OSSA-2014-040: Horizon denial of service attack through login page
• OSSA-2014-039: Neutron DoS through invalid DNS configuration
• OSSA-2014-038: Nova network DoS through API filtering
• OSSA-2014-037: Nova VMware instance in resize state may leak
• OSSA-2014-036: Potential leak of passwords into log files
• OSSA-2014-035: Nova VMware driver may connect VNC to another tenant’s console
• OSSA-2014-034: Swift metadata constraints are not correctly enforced
• OSSA-2014-033: Cinder-volume host data leak to vm instance
• OSSA-2014-032: Nova VMware driver still leaks rescued images
• OSSA-2014-031: Admin-only network attributes may be reset to defaults by non-privileged users
• OSSA-2014-030: TLS cert verification option not honoured in paste configs
• OSSA-2014-029: Configuration option leak through Keystone catalog
• OSSA-2014-028: Glance store DoS through disk space exhaustion
• OSSA-2014-027: Persistent XSS in Horizon Host Aggregates interface
• OSSA-2014-026: Multiple vulnerabilities in Keystone revocation events
• OSSA-2014-025: Denial of Service in Neutron allowed address pair
• OSSA-2014-024: Use of non-constant time comparison operation
• OSSA-2014-023: Multiple XSS vulnerabilities in Horizon
• OSSA-2014-022: Keystone V2 trusts privilege escalation through user supplied
• OSSA-2014-021: User token leak to message queue in pyCADF notifier middleware
• OSSA-2014-020: XSS in Swift requests through WWW-Authenticate header
• OSSA-2014-019: Neutron L3-agent DoS through IPv6 subnet
• OSSA-2014-018: Keystone privilege escalation through trust chained delegation
• OSSA-2014-017: Nova VMware driver leaks rescued images
• OSSA-2014-016: Heat template URL information leakage
• OSSA-2014-015: Keystone user and group id mismatch
• OSSA-2014-014: Neutron security groups bypass through invalid CIDR
• OSSA-2014-013: Keystone DoS through V3 API authentication chaining
• OSSA-2014-012: Remote code execution in Glance Sheepdog backend
• OSSA-2014-011: RBAC policy not properly enforced in Nova EC2 API
• OSSA-2014-010: XSS in Horizon orchestration dashboard
• OSSA-2014-009: Nova host data leak to vm instance in rescue mode
• OSSA-2014-008: Routers can be cross plugged by other tenants
• OSSA-2014-007: Potential context confusion in Keystone middleware
• OSSA-2014-006: Trustee token revocation does not work with memcache backend
• OSSA-2014-005: Missing SSL certificate check in Python Swift client
• OSSA-2014-004: Glance Swift store backend password leak
• OSSA-2014-003: Live migration can leak root disk into ephemeral storage
• OSSA-2014-002: Swift TempURL timing attack
• OSSA-2014-001: Nova live snapshots use an insecure local directory
• OSSA-2013-037: Nova compute DoS through ephemeral disk backing files
• OSSA-2013-036: Insufficient sanitization of Instance Name in Horizon
• OSSA-2013-035: Heat ReST API doesn’t respect tenant scoping
• OSSA-2013-034: Heat CFN policy rules not all enforced
• OSSA-2013-033: Metadata queries from Neutron to Nova are not restricted by tenant
• OSSA-2013-032: Keystone trust circumvention through EC2-style tokens
• OSSA-2013-031: Ceilometer DB2/MongoDB backend password leak
• OSSA-2013-030: XenAPI security groups not kept through migrate or resize
• OSSA-2013-029: Potential Nova denial of service through compressed disk images
• OSSA-2013-028: Unintentional role granting with Keystone LDAP backend
• OSSA-2013-027: Glance image_download policy not enforced for cached images
• OSSA-2013-026: Potential denial of service on Nova when using Qpid
• OSSA-2013-025: Token revocation failure using Keystone memcache/KVS backends
• OSSA-2013-024: Resource limit circumvention in Nova private flavors
• OSSA-2013-023: Denial of Service using XML entities in Nova/Cinder extensions
• OSSA-2013-022: Swift Denial of Service using superfluous object tombstones
• OSSA-2013-021: Cinder LVM volume driver does not support secure deletion
• OSSA-2013-020: Denial of Service in Nova network source security groups
• OSSA-2013-019: Resource limit circumvention in Nova private flavors
• OSSA-2013-018: Missing SSL certificate check in Python glance client
• OSSA-2013-017: Issues in Keystone middleware memcache signing/encryption feature
• OSSA-2013-016: Unchecked user input in Swift XML responses
• OSSA-2013-015: Authentication bypass when using LDAP backend
• OSSA-2013-014: Missing expiration check in Keystone PKI tokens validation
• OSSA-2013-013: Keystone client local information disclosure
• OSSA-2013-012: Nova fails to verify image virtual size
• OSSA-2013-011: Keystone tokens not immediately invalidated when user is deleted
• OSSA-2013-010: Nova uses insecure keystone middleware tmpdir by default
• OSSA-2013-009: Keystone PKI tokens online validation bypasses revocation check
• OSSA-2013-008: Nova DoS by allocating all Fixed IPs
• OSSA-2013-007: Backend credentials leak in Glance v1 API
• OSSA-2013-006: VNC proxy can connect to the wrong VM
• OSSA-2013-005: EC2-style authentication accepts disabled user/tenants
• OSSA-2013-004: Information leak and Denial of Service using XML entities
• OSSA-2013-003: Keystone denial of service through invalid token requests
• OSSA-2013-002: Backend password leak in Glance error message
• OSSA-2013-001: Boot from volume allows access to random volumes
• OSSA-2012-020: Information leak in libvirt LVM-backed instances
• OSSA-2012-019: Extension of token validity through token chaining
• OSSA-2012-018: EC2-style credentials invalidation issue
• OSSA-2012-017: Authentication bypass for image deletion
• OSSA-2012-016: Token authorization for a user in a disabled tenant is allowed
• OSSA-2012-015: Some actions in Keystone admin API do not validate token
• OSSA-2012-014: Revoking a role does not affect existing tokens
• OSSA-2012-013: Lack of authorization for adding users to tenants
• OSSA-2012-012: Open redirect through ‘next’ parameter
• OSSA-2012-011: Compute node filesystem injection/corruption
• OSSA-2012-010: Various Keystone token expiration issues
• OSSA-2012-009: Scheduler denial of service through scheduler_hints
• OSSA-2012-008: Arbitrary file injection/corruption through directory traversal
• OSSA-2012-007: Security groups fail to be set correctly
• OSSA-2012-006: Horizon session fixation and reuse
• OSSA-2012-005: No quota enforced on security group rules
• OSSA-2012-004: XSS vulnerability in Horizon log viewer
• OSSA-2012-003: Long server names grow nova-api log files significantly
• OSSA-2012-002: Extremely long passwords can crash Keystone
• OSSA-2012-001: Tenant bypass by authenticated users using OpenStack API
• OSSA-2011-001: Path traversal issues registering malicious images using EC2 API