[Secure-testing-team] Bug#744051: CVE-2014-0167: RBAC policy not properly enforced in Nova EC2 API
Thomas Goirand
zigo at debian.org
Wed Apr 9 16:01:53 UTC 2014
Source: nova
Version: 2013.2.2-4
Severity: important
Tags: security
Reporter: Marc Heckmann (Ubisoft)
Products: Nova
Versions: 2013.1 versions up to 2013.2.3
Description:
Marc Heckmann from Ubisoft reported a vulnerability in the Nova EC2 API
security group implementation. RBAC policies are not enforced when using
the EC2 API, in particular the add_rules, remove_rules and destroy
methods. A restricted user may overcome his limitation by using EC2 API
resulting in unauthorized action on security groups. Only setups using
non-default RBAC rules for Nova may be affected.
More information about the Secure-testing-team
mailing list