Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: nova
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 25 Oct 2011 14:27:56 -0600

On 10/25/2011 11:11 AM, Jamie Strandboge wrote:
A flaw was discovered in OpenStack nova[1] which allows someone with
access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the
EC2_SECRET_KEY (equivalent to a password). While the EC2_ACCESS_KEY is
typically not public, if the user exposes it via http or tools that
allow MITM over https, then an attacker could obtain the EC2_SECRET_KEY
easily. An attacker could also presumably brute force values for
EC2_ACCESS_KEY.

Fix:
https://review.openstack.org/#change,794

[1]https://launchpad.net/bugs/868360

Please use CVE-2011-4076 for this issue

-- 

-Kurt Seifried / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
  • CVE request: nova Jamie Strandboge (Oct 25)
    • Re: CVE request: nova Kurt Seifried (Oct 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]