[PKG-Openstack-devel] Bug#744051: CVE-2014-0167: RBAC policy not properly enforced in Nova EC2 API

Thomas Goirand zigo at debian.org
Wed Apr 9 16:01:53 UTC 2014


Source: nova
Version: 2013.2.2-4
Severity: important
Tags: security

Reporter: Marc Heckmann (Ubisoft)
Products: Nova
Versions: 2013.1 versions up to 2013.2.3

Description:
Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API
security group implementation. RBAC policies are not enforced when using
the EC2 API, in particular the add_rules, remove_rules and destroy
methods. A restricted user may overcome his limitation by using EC2 API
resulting in unauthorized action on security groups. Only setups using
non-default RBAC rules for Nova may be affected.



More information about the Openstack-devel mailing list