[Secure-testing-team] Bug#755042: CVE-2014-3517: Use of non-constant time comparison operation

[Thomas Goirand]

Source: nova
Version: 2014.1.1-7
Severity: important
Tags: security patch

Opening this bug before uploading the security fix. OpenStack pre-announce
is below.

Thomas Goirand (zigo)

CVE-2014-3517 pre-announce text:

This is an advance warning of a vulnerability discovered in OpenStack, 
to give you, as downstream stakeholders, a chance to coordinate the 
release of fixes and reduce the vulnerability window. Please treat the 
following information as confidential until the proposed public
disclosure date.

Title: Use of non-constant time comparison operation
Reporter: Alex Gaynor (Rackspace)
Products: Nova
Versions: Up to 2013.2.3, and 2014.1 to 2014.1.1

Alex Gaynor from Rackspace reported a timing attack vulnerability in Nova.
By analyzing response times to requests for instance metadata, an attacker
may be able to guess a valid instance ID signature. This could allow access
to important configuration details of another instance. Only setups
configured to proxy metadata requests via Neutron are affected.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/havana, stable/icehouse and master (Juno 
development branch) on the public disclosure date.

CVE: CVE-2014-3517 

Proposed public disclosure date/time:
2014-07-16, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.

Regards,

Grant Murphy
OpenStack Vulnerability Management Team